This note documents detection patterns related to ADCS ESC1 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Indicates a certificate was issued by ADCS. Review CertificateTemplate, Requester, and Subject for suspicious requests where low-privileged users enroll certificates for other accounts. |
| Security | 4887 | Certificate request approved | High | Manual or automated approval of suspicious certificate requests. |
| Security | 4768 | Kerberos TGT request | Critical | ESC1 abuse allows attacker to authenticate via PKINIT using the issued certificate. Look for TGT requests shortly after certificate issuance. |
| Security | 4624 | Successful logon | High | Logons using certificate-based authentication may follow exploitation. |
| Security | 4672 | Special privileges assigned | High | Privileged session after certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of ADCS exploitation tools such as Certipy, Certify, or Rubeus. |
| Sysmon | 3 | Network connection | Medium | Connections to CA server or domain controller during certificate enrollment and ticket requests. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Enrollment by low privilege account | Standard user requesting certificate capable of client authentication | Critical | ESC1 occurs when templates allow ENROLLEE_SUPPLIES_SUBJECT and client authentication. |
| Certificate issued for another identity | Certificate subject differs from requesting account | Critical | Indicates impersonation attempt. |
| Unexpected PKINIT authentication | User authenticating with certificate when normally using password | High | Possible forged or abused certificate. |
| ADCS access from unusual workstation | Certificate requests originating from attacker-controlled host | High | Investigate suspicious enrollment patterns. |
| Immediate privileged activity | Administrative actions shortly after certificate-based logon | Critical | Indicates attacker leveraging certificate authentication. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates ADCS configuration and exploits ESC1 templates. |
| Certify | Active Directory Certificate Services abuse tool used for certificate enrollment attacks. |
| Rubeus | Uses issued certificates to request Kerberos tickets via PKINIT. |
| Impacket | Supports certificate authentication operations. |
| Certutil | Built-in Windows utility used to request or inspect certificates. |
Relevant Artifacts
- ADCS server Security logs (4886, 4887)
- Domain controller logs (4768, 4624)
- Certificate Authority database records
- Certificate template configuration
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry detecting certificate abuse tools
- Prefetch artifacts showing execution of Certipy or Certify
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events (4886) involving unusual templates.
- What host generated the event?
- Determine which system submitted the certificate request.
- Is the account expected to perform this action?
- Verify if the requesting account normally enrolls certificates.
- Pivot:
- Source host → inspect execution of Certipy or other ADCS abuse tools.
- Account → verify whether certificate subject differs from requester.
- Network → inspect PKINIT authentication events following issuance.
- Confirm exploitation
- Determine whether attacker used certificate to request Kerberos tickets.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| project TimeGenerated, Requester, CertificateTemplate, SubjectUserName
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious ADCS Certificate Enrollment
id: adcs-esc1-enrollment
status: experimental
description: Detects potentially malicious certificate enrollment associated with ESC1
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- Requester
- CertificateTemplate
falsepositives:
- Legitimate certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Template configuration | Disable ENROLLEE_SUPPLIES_SUBJECT where not required | Critical | Prevents attackers specifying arbitrary identities. |
| Enrollment permissions | Restrict certificate enrollment rights | High | Limit access to sensitive templates. |
| Template auditing | Regularly audit certificate templates for misconfigurations | High | Detects ESC1 exposure. |
| Monitoring | Alert on certificate issuance for privileged identities | High | Early detection of abuse attempts. |
| PKI hardening | Implement strict access controls on ADCS infrastructure | High | Reduces attack surface. |