Missing Detection of ADCS ESC10a Due to Incomplete "Write Property" Collection on UPN

[CravateRouge]

SharpHound currently fails to detect potential vulnerabilities related to ADCS ESC10a when there is no GenericWrite or more permissions on the target object. Specifically, it does not collect the correct "Write Property" rights on the userPrincipalName (UPN) attribute, which is critical for identifying this attack path.

According to the BloodHound documentation on ESC10a, an attacker can exploit WriteProperty rights on the UPN to impersonate users via certificate requests. However, SharpHound does not currently enumerate these rights unless GenericWrite is present, leading to incomplete visibility in BloodHound graphs.

The list of currently collected edge types is defined in EdgeNames.cs, and it appears that WriteProperty on UPN is not explicitly handled for this scenario. WriteProperty on UPN can also be given through the Public-Information property set.