OIDGroupLink

Certificate templates may include the IssuancePolicy as an issuance policy extension. Users authenticating using a certificate of such a certificate template will be granted access as a member of the group.

Abuse Info

An attacker may perform the ADCS ESC13 abuse which relies on the OID group link. This relationship alone is not enough to escalate rights or impersonate other principals.

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

Edge Schema

Source: IssuancePolicy
Destination: Group
Traversable: No

References

ADCS ESC13 Abuse Technique
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
Use Authentication Mechanism Assurance (AMA) to secure administrative account login

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Abuse Info

Opsec Considerations

Edge Schema

References

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

Abuse Info

Opsec Considerations

Edge Schema

References