# HAS\_CA ## Summary | | | | -------------------------- | --------- | | **FSProtect ACL Alias** | HAS\_CA | | **Affected Object Types** | Computers | | **Exploitation Certainty** | Certain | ## Description The `HAS_CA` edge in Active Directory indicates that a specific computer hosts a Certificate Authority (CA). This role is important for providing Public Key Infrastructure (PKI) services, enabling the issuance and management of digital certificates across the network. A CA helps enforce secure communication, authenticate identities, and establish trusted relationships among services and components. The `HAS_CA` edge itself does not represent a direct vulnerability, but it can be a risk factor depending on the environment's overall security posture and configuration. For example, if a Certificate Authority is misconfigured, has weak access controls, or lacks adequate auditing, an attacker might exploit those weaknesses to issue unauthorized certificates, impersonate trusted services, or compromise the integrity of certificate chains. Such actions can enable lateral movement, bypass security controls, or provide persistent access to critical assets. ## Identification ### PowerShell #### Active Directory Module Using the ActiveDirectory PowerShell module, you can enumerate `HAS_CA` entries. Function: Find-HAS\_CA ```powershell function Find-HAS_CA { [CmdletBinding()] param ([string]$ComputerDistinguishedName = $null,[string]$OutputPath = ".\HAS_CA.csv" ) # 1) Load ActiveDirectory module Import-Module ActiveDirectory -ErrorAction Stop # 2) Get Configuration Naming Context try { $configurationNC = (Get-ADRootDSE).ConfigurationNamingContext } catch { Write-Error "Failed to retrieve ConfigurationNamingContext: $($_.Exception.Message)" return } # 3) Query all Certificate Authority objects try { $caObjects = Get-ADObject -SearchBase $configurationNC -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties dNSHostName } catch { Write-Error "Failed to query CA objects: $($_.Exception.Message)" return } # 4) Filter by specific computer if provided if ($ComputerDistinguishedName) { try { $dNSHostName = (Get-ADComputer -Identity $ComputerDistinguishedName -Properties dNSHostName).dNSHostName $caObjects = $caObjects | Where-Object { $_.dNSHostName -eq $dNSHostName } } catch { Write-Error "Failed to match CA to specified computer: $($_.Exception.Message)" return } } # 5) Format results $formattedResults = $caObjects | Select-Object Name, dNSHostName # 6) Export results if found if ($formattedResults -or $formattedResults.Count -gt 0) { try { $formattedResults | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 -ErrorAction Stop Write-Host "Results exported to '$OutputPath'" } catch {Write-Error "Failed to export to CSV: $($_.Exception.Message)"} } else {Write-Output "No HAS_CA entries found."} } ``` 1. Scan all CA objects in the domain ```powershell Find-HAS_CA ``` 2. Scan a specific CA server by distinguished name ```powershell Find-HAS_CA -ComputerDistinguishedName 'CN=FSCA01,CN=Computers,DC=forestall,DC=labs' ``` ### Active Directory Service Interfaces (GUI) To identify `HAS_CA` entries using ADSI Edit, follow these steps: **1.** Open ADSI Edit on a Windows server with the appropriate tools installed. **2.** Expand: Configuration > Services > Public Key Services > Enrollment Services. **3.** The computers listed are the Certificate Authority (CA) servers in the domain. **4.** Right-click a CA server and select Properties. **5.** In the Properties window, check the `dNSHostName` or `cn` attribute to confirm the CA role. ## Exploitation The `HAS_CA` edge represents the presence of a Certificate Authority in the environment and does not itself provide an exploitable path. ## Mitigation No specific mitigation applies to the `HAS_CA` edge. Because it only represents the existence of a Certificate Authority and does not indicate an exploitable path, no direct mitigation is required. ## Detection Adding new Access Control Entries to Active Directory objects changes the `ntSecurityDescriptor` attribute of those objects. These changes can be detected using the following Event IDs: | Event ID | Description | Fields/Attributes | References | | -------- | ----------------------------------------------------------------------------------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | 5136 | A directory service object was modified. | ntSecurityDescriptor | | | 4662 | An operation was performed on an object. | AccessList, AccessMask | | | 4882 | Security permissions for Certificate Services changed. | Permission | | | 4895 | A CA certificate was published to Active Directory Domain Services (often indicates a new CA registration). | CA certificate details | | | 4896 | A Certificate Services template was published to Active Directory. | Template name, CA details | | | 4898 | Certificate Services loaded a template. | Template name | | | 4899 | A Certificate Services template was updated. | Template attributes | | | 4900 | Certificate Services template security was updated. | ACL changes | | ## References * [Active Directory Certificate Connector - CyberArk Docs](https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/ad-certificates.htm) * [Configure Server Certificate Autoenrollment - Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/ad/has_ca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.