> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# NTAuthStore

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=a791748158fde5ff3b3b82b51497ab39" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Representation

The NTAuthStore node represents the Active Directory LDAP object named *NTAuthCertificates* (of the *certificationAuthority* class) located in the *Public Key Services* container in the Configuration Naming Context.

## Node properties

The node supports the properties of the table. Three types of property names will be used, depending on where the property is found:

* **Entity Panel:** Name shown in the BloodHound UI.
* **Database:** Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries.
* **Directory:** Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property.

|                              |                     |                                     |                                                                                                |
| ---------------------------- | ------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Entity Panel**             | **Database**        | **Directory**                       | **Description**                                                                                |
| Object ID                    | `objectid`          | `objectGUID`                        | The object's unique identifier in the directory.                                               |
| ACL Inheritance Denied       | `isaclprotected`    | `nTSecurityDescriptor`              | Whether inherited permissions (ACEs) from containers are blocked on this object.               |
| Certificate Thumbprints      | `certthumbprints`   | `caCertificate` (`X509Certificate`) | The thumbprint (unique identifier) of the CA certificates trusted for NT authentication.       |
| Created                      | `whencreated`       | `whenCreated`                       | When the object was created in the directory.                                                  |
| Distinguished Name           | `distinguishedname` | `distinguishedName`                 | The name of the object and its location in AD.                                                 |
| Domain FQDN                  | `domain`            | -                                   | The fully qualified domain name (FQDN) of the domain the object belongs to.                    |
| Domain SID                   | `domainsid`         | -                                   | The SID of the domain the object belongs to.                                                   |
| Last Collected by BloodHound | `lastcollected`     | -                                   | The most recent time the object was collected and ingested in BloodHound.                      |
| Last Seen by BloodHound      | `lastseen`          | -                                   | The most recent time the object or a reference to it was collected and ingested in BloodHound. |
| -                            | `name`              | `name` + domain name                | Name of the object + @ + the name of the domain.                                               |

## Edges

The following edge types may be linked to/from this node. See the [edges documentation](/resources/edges) for more information on the edge types.

### Incoming edges

|                                                          |                           |
| -------------------------------------------------------- | ------------------------- |
| **Edge type**                                            | **Entity panel category** |
| [GenericAll](/resources/edges/generic-all)               | Inbound Object Control    |
| [GenericWrite](/resources/edges/generic-write)           | Inbound Object Control    |
| [Owns](/resources/edges/owns)                            | Inbound Object Control    |
| [TrustedForNTAuth](/resources/edges/trusted-for-nt-auth) | Trusted CAs               |
| [WriteDacl](/resources/edges/write-dacl)                 | Inbound Object Control    |
| [WriteOwner](/resources/edges/write-owner)               | Inbound Object Control    |

### Outgoing edges

|                                                      |                           |
| ---------------------------------------------------- | ------------------------- |
| **Edge type**                                        | **Entity panel category** |
| [NTAuthStoreFor](/resources/edges/nt-auth-store-for) | -                         |

## References

* [https://learn.microsoft.com/en-us/openspecs/windows\_protocols/ms-wcce/f1004c63-8508-43b5-9b0b-ee7880183745](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/f1004c63-8508-43b5-9b0b-ee7880183745)
* [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953) 
* [https://learn.microsoft.com/en-us/windows/win32/adschema/c-certificationauthority](https://learn.microsoft.com/en-us/windows/win32/adschema/c-certificationauthority) 
* [https://specterops.io/blog/2024/01/24/adcs-attack-paths-in-bloodhound-part-1/](https://specterops.io/blog/2024/01/24/adcs-attack-paths-in-bloodhound-part-1/)
