Description:

The security check for IIS EPA on the enterprisecas seems to have a bug. During my last audit ADCSWebEnrollmentEPA was reported as true in the _enterprisecas.json file, which resulted in the bloodhoundce property hasvulnerableendpoint of the EnterpriseCA node to be False.

Testing with certipy-ad resulted in the correct value, and the vulnerability could actively be exploited, even thought https was being used on IIS, but EPA was not enabled.

Are you intending to fix this bug?

"no" (not that deep into your code ;))

Component(s) Affected:

• Data Collector (SharpHound, AzureHound)

Steps to Reproduce:

run sharphound.exe and check result of _enterprisecas.json (data/HttpEnrollmentEndpoints/Result)
double check using the current version of certipy-ad
certipy-ad find -u '' -p '' -dc-ip

Expected Behavior:

The property ADCSWebEnrollmentEPA should return the correct value of IIS EPA protection

Actual Behavior:

The property ADCSWebEnrollmentEPA does not return the correct value of IIS EPA protection

Environment Information:

BloodhoundCE: 8.2.0
Collector: Sharphound 2.7.2
OS: Windows

Contributor Checklist:

• [x ] I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• [ x] I have provided clear steps to reproduce the issue.
• [ x] I have included relevant environment information details.