AD CS improvements (#45)

martanne · Tw1sm · web-flow · commit 7d6e4520cc84 · 2025-11-22T10:25:46.000-05:00
* Fix AD CS certificate chain creation

Extend the certificate chain of enterprise CAs to also include the
corresponding root CA.

* Resolve enterprise CA to hosting computer object

This allows BloodHound to create the HostsCAService edge which since
v7.4.0 is a pre-requisite for the other post-processed AD CS edges.

* bump version &amp; changelog

---------

Co-authored-by: Tw1sm &lt;mcreel31@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,9 @@
 # Changelog
+## [0.4.18] - 11/22/2025
+### Fixes
+- Fix ADCSESC1 edge creation
+- Fix [#44](https://github.com/coffeegist/bofhound/issues/44)
+
 ## [0.4.17] - 10/30/2025
 ### Performance
 - Optimized group membership resolution algorithm from polynomial to linear complexity using reverse index lookups
diff --git a/bofhound/ad/adds.py b/bofhound/ad/adds.py
@@ -379,6 +379,10 @@ def process(self):
                     self.resolve_published_templates(ca)
             logger.info("Resolved enabled templates per CA")
 
+            with console.status(" [bold] Resolving hosting computers of CAs", spinner="aesthetic"):
+                for ca in self.enterprisecas:
+                    self.resolve_hosting_computer(ca)
+            logger.info("Resolved hosting computers of CAs")
 
     def get_sid_from_name(self, name):
         for entry in self.SID_MAP:
@@ -754,6 +758,16 @@ def resolve_published_templates(self, entry:BloodHoundEnterpriseCA):
                     and template.Properties['domain'] == entry.Properties['domain']:
                         entry.EnabledCertTemplates.append({"ObjectIdentifier": template.ObjectIdentifier.upper(), "ObjectType": "CertTemplate"})
 
+    def resolve_hosting_computer(self, ca:BloodHoundEnterpriseCA):
+        if 'dnshostname' in ca.Properties:
+            hostname = ca.Properties['dnshostname']
+            for comp in self.computers:
+                if comp.matches_dnshostname(hostname):
+                    ca.HostingComputer = comp.ObjectIdentifier
+                    logger.debug(f"Resolved CA hosting computer: {hostname} to {ca.HostingComputer}")
+                    return
+            logger.warning(f"Could not resolve CA hosting computer: {hostname}")
+
     def parse_acl(self, entry:BloodHoundObject):
         """
         Parse the nTSecurityDescriptor attribute of an AD object and extract BloodHound
@@ -1306,7 +1320,7 @@ def build_certificate_chain(start_ca_obj, all_ca_obj):
 
     def build_certificate_chains(self):
         for enterpriseca in self.enterprisecas:
-            enterpriseca.Properties['certchain'] = ADDS.build_certificate_chain(enterpriseca, self.enterprisecas)
+            enterpriseca.Properties['certchain'] = ADDS.build_certificate_chain(enterpriseca, self.enterprisecas+self.rootcas)
 
         for aiaca in self.aiacas:
             aiaca.Properties['certchain'] = ADDS.build_certificate_chain(aiaca, self.aiacas)
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bofhound"
-version = "0.4.17"
+version = "0.4.18"
 description = "Parse output from common sources and transform it into BloodHound-ingestible data"
 authors = [
 	"Adam Brown",
