> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bed-7559-api-key-exp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# ExtendedByPolicy

> The edge indicates that a certificate template includes an issuance policy as a certificate extension.

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/Q9Jppg_Pu54SydxZ/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=Q9Jppg_Pu54SydxZ&q=85&s=dab889e863a05e09b1378befc30bbb10" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

An attacker may perform the ADCS ESC13 abuse which relies on an issuance policy included in a certificate. This relationship alone is not enough to escalate rights or impersonate other principals.

## Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

## Edge Schema

Source: [CertTemplate](/resources/nodes/cert-template)\
Destination: [IssuancePolicy](/resources/nodes/issuance-policy)\
Traversable: **No**

## References

* [ADCS ESC13 Abuse Technique](https://specterops.io/blog/2024/02/14/adcs-esc13-abuse-technique/)
* [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897\(v=ws.10\)?redirectedfrom=MSDN)
* [Use Authentication Mechanism Assurance (AMA) to secure administrative account login](https://www.gradenegger.eu/en/using-authentication-mechanism-assurance-ama-to-secure-the-login-of-administrative-accounts/)
