HAS_CA

Summary

FSProtect ACL Alias

HAS_CA

Affected Object Types

Computers

Exploitation Certainty

Certain

Description

The HAS_CA edge in Active Directory indicates that a specific computer hosts a Certificate Authority (CA). This role is important for providing Public Key Infrastructure (PKI) services, enabling the issuance and management of digital certificates across the network. A CA helps enforce secure communication, authenticate identities, and establish trusted relationships among services and components.

The HAS_CA edge itself does not represent a direct vulnerability, but it can be a risk factor depending on the environment's overall security posture and configuration. For example, if a Certificate Authority is misconfigured, has weak access controls, or lacks adequate auditing, an attacker might exploit those weaknesses to issue unauthorized certificates, impersonate trusted services, or compromise the integrity of certificate chains. Such actions can enable lateral movement, bypass security controls, or provide persistent access to critical assets.

Identification

PowerShell

Active Directory Module

Using the ActiveDirectory PowerShell module, you can enumerate HAS_CA entries.

Function: Find-HAS_CA

function Find-HAS_CA {
    [CmdletBinding()]
    param ([string]$ComputerDistinguishedName = $null,[string]$OutputPath = ".\HAS_CA.csv" )
    # 1) Load ActiveDirectory module
    Import-Module ActiveDirectory -ErrorAction Stop
    # 2) Get Configuration Naming Context
    try {
        $configurationNC = (Get-ADRootDSE).ConfigurationNamingContext
    }
    catch {
        Write-Error "Failed to retrieve ConfigurationNamingContext: $($_.Exception.Message)"
        return
    }
    # 3) Query all Certificate Authority objects
    try {
        $caObjects = Get-ADObject -SearchBase $configurationNC  -LDAPFilter "(objectClass=pKIEnrollmentService)"  -Properties dNSHostName
    }
    catch {
        Write-Error "Failed to query CA objects: $($_.Exception.Message)"
        return
    }

    # 4) Filter by specific computer if provided
    if ($ComputerDistinguishedName) {
        try {
            $dNSHostName = (Get-ADComputer -Identity $ComputerDistinguishedName -Properties dNSHostName).dNSHostName
            $caObjects = $caObjects | Where-Object { $_.dNSHostName -eq $dNSHostName }
        }
        catch {
            Write-Error "Failed to match CA to specified computer: $($_.Exception.Message)"
            return
        }
    }
    # 5) Format results
    $formattedResults = $caObjects | Select-Object Name, dNSHostName
    # 6) Export results if found
    if ($formattedResults -or $formattedResults.Count -gt 0) {
        try {
            $formattedResults | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 -ErrorAction Stop
            Write-Host "Results exported to '$OutputPath'"
        }
        catch {Write-Error "Failed to export to CSV: $($_.Exception.Message)"}
    }
    else {Write-Output "No HAS_CA entries found."}
}

  1. Scan all CA objects in the domain

Find-HAS_CA

  1. Scan a specific CA server by distinguished name

Find-HAS_CA -ComputerDistinguishedName 'CN=FSCA01,CN=Computers,DC=forestall,DC=labs'

Active Directory Service Interfaces (GUI)

To identify HAS_CA entries using ADSI Edit, follow these steps:

1. Open ADSI Edit on a Windows server with the appropriate tools installed.

2. Expand: Configuration > Services > Public Key Services > Enrollment Services.

3. The computers listed are the Certificate Authority (CA) servers in the domain.

4. Right-click a CA server and select Properties.

5. In the Properties window, check the dNSHostName or cn attribute to confirm the CA role.

Exploitation

The HAS_CA edge represents the presence of a Certificate Authority in the environment and does not itself provide an exploitable path.

Mitigation

No specific mitigation applies to the HAS_CA edge. Because it only represents the existence of a Certificate Authority and does not indicate an exploitable path, no direct mitigation is required.

Detection

Adding new Access Control Entries to Active Directory objects changes the ntSecurityDescriptor attribute of those objects. These changes can be detected using the following Event IDs:

Event ID
Description
Fields/Attributes
References

5136

A directory service object was modified.

ntSecurityDescriptor

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

4662

An operation was performed on an object.

AccessList, AccessMask

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

4882

Security permissions for Certificate Services changed.

Permission

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786423(v=ws.11)

4895

A CA certificate was published to Active Directory Domain Services (often indicates a new CA registration).

CA certificate details

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895

4896

A Certificate Services template was published to Active Directory.

Template name, CA details

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896

4898

Certificate Services loaded a template.

Template name

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898

4899

A Certificate Services template was updated.

Template attributes

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899

4900

Certificate Services template security was updated.

ACL changes

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900

References

PreviousGPOWriteNextHAS_SESSION

Last updated

Was this helpful?