Nodes
EnterpriseCA
Nodes
EnterpriseCA
This article outlines the EnterpriseCA node in BloodHound, it describes what the node represents, the node’s properties, and possible incoming/outgoing edges.
Representation
The EnterpriseCA node represents the Active Directory LDAP objects of the pKIEnrollmentService class located in the Enrollment Services container in the Configuration Naming Context.
Node properties
The node supports the properties of the table. Three types of property names will be used, depending on where the property is found:
- Entity Panel: Name shown in the BloodHound UI.
- Database: Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries.
- Directory: Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property.
| Entity Panel | Database | Directory | Description |
| Object ID | objectid | objectGUID | The object’s unique identifier in the directory. |
| ACL Inheritance Denied | isaclprotected | nTSecurityDescriptor | Whether inherited permissions (ACEs) from containers are blocked on this object. |
| Basic Constraint Path Length | basicconstraintpathlength | caCertificate (X509Certificate) | The maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certificate chain. |
| CA Name | caname | name | Name of the CA in the directory. |
| CA Security Collected | casecuritycollected | - | Whether the Security ACL stored in registry of the CA host has been collected. |
| Certificate Chain | certchain | caCertificate (X509Certificate) | A hierarchical list of certificates starting with the certificate for this CA and ending with a self-signed root certificate. Each certificate is signed by the private key of the next CA certificate. |
| Certificate Name | certname | caCertificate (X509Certificate) | The name of the CA’s certificate. |
| Certificate Thumbprint | certthumbprint | caCertificate (X509Certificate) | The thumbprint (unique identifier) of the CA’s certificate. |
| Created | whencreated | whenCreated | When the object was created in the directory. |
| Distinguished Name | distinguishedname | distinguishedName | The name of the object and its location in AD. |
| DNS Hostname | dnshostname | dNSHostName | The DNS host name of the CA host. |
| Domain FQDN | domain | - | The fully qualified domain name (FQDN) of the domain the object belongs to. |
| Domain SID | domainsid | - | The SID of the domain the object belongs to. |
| Enrollment Agent Restrictions Collected | enrollmentagentrestrictions collected | - | Whether the EnrollmentAgentRights ACL stored in registry of the CA host has been collected. |
| Flags | flags | flags | Various flags controlling features of the enrollment service. |
| Has Basic Constraints | hasbasicconstraints | caCertificate (X509Certificate) | Whether the CA certificate has basic constraints. |
| Has Enrollment Agent Restrictions | hasenrollmentagent restrictions | - | Whether the enrollment agent restrictions are enabled. |
| Is User Specifies San Enabled Collected | isuserspecifiessanenabled collected | - | Whether the EditFlags registry value of the CA host has been collected. |
| Is User Specifies San Enabled | isuserspecifiessanenabled | - | Whether the CA host has the user specifies SAN (EDITF_ATTRIBUTESUBJECTALTNAME2) flag present in its EditFlags registry value. |
| Last Collected by BloodHound | lastseen | - | When the object was last collected and ingested in BloodHound. |
| Role Separation Enabled Collected | roleseparationenabled collected | - | Whether the RoleSeparationEnabled registry value of the CA host has been collected. |
| Role Separation Enabled | roleseparationenabled | - | Whether the CA host enforces role separation i.e. users are not permitted to have the CA Administrator role and if they have the Certificate Manager role and vice versa; |
| Unresolved Published Certificate Templates | unresolvedpublishedtemplates | certificateTemplates | The published certificate templates which could not be found. |
| - | name | name + domain name | Name of the object + @ + the name of the domain. |
Edges
The following edge types may be linked to/from this node. See the edges documentation for more information on the edge types.
Incoming edges
| Edge type | Entity panel category |
| Enroll | Inbound Object Control |
| GenericAll | Inbound Object Control |
| GenericWrite | Inbound Object Control |
| HostsCAService | - |
| IssuedSignedBy | - |
| ManageCA | Inbound Object Control |
| ManageCertificates | Inbound Object Control |
| Owns | Inbound Object Control |
| PublishedTo | - |
| WriteDacl | Inbound Object Control |
| WriteOwner | Inbound Object Control |
Outgoing edges
| Edge type | Entity panel category |
| EnterpriseCAFor | - |
| IssuedSignedBy | - |
| TrustedForNTAuth | - |