This note documents detection patterns related to ADCS ESC11 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Certificate issued through RPC enrollment endpoint which can be abused via NTLM relay (ESC11). Review Requester and CertificateTemplate. |
| Security | 4887 | Certificate request approved | Medium | Unexpected certificate approvals via RPC enrollment. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained through relay may be used via PKINIT authentication shortly after issuance. |
| Security | 4624 | Successful logon | High | Certificate-based authentication events following certificate issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged session following certificate-based authentication. |
| Sysmon | 3 | Network connection | Critical | Connections from attacker relay host to RPC enrollment endpoint on CA server. |
| Sysmon | 1 | Process creation | Medium | Execution of ntlmrelayx or Certipy relay module. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| NTLM authentication to CA RPC interface | Authentication to RPC enrollment service | Critical | ESC11 relies on NTLM relay to RPC enrollment endpoint. |
| Authentication coercion preceding request | PrinterBug, PetitPotam, DFSCoerce | Critical | These attacks force machine authentication to attacker relay host. |
| Machine account certificate enrollment | Certificate issued for machine account unexpectedly | High | Common scenario in relay attacks. |
| Certificate issuance from unusual source host | Enrollment request from workstation not normally interacting with CA | High | Indicates relay host. |
| Privileged activity after authentication | Administrative actions following certificate logon | Critical | Attacker leveraging certificate for domain escalation. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Supports NTLM relay to ADCS RPC enrollment endpoint. |
| ntlmrelayx | Impacket tool used to relay NTLM authentication to RPC enrollment service. |
| PetitPotam | Coerces authentication from domain controllers or servers. |
| PrinterBug | Triggers authentication to attacker-controlled system. |
| Coercer | Framework automating coercion attacks. |
Relevant Artifacts
- Domain controller Security logs (4768, 4624)
- ADCS server Security logs (4886, 4887)
- RPC enrollment service logs
- Network telemetry showing NTLM relay patterns
- Sysmon logs (1, 3)
- EDR telemetry detecting relay tooling
- Prefetch artifacts for ntlmrelayx or Certipy
- Authentication logs preceding relay activity
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 NTLM Relay
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events 4886 associated with RPC enrollment.
- What host generated the event?
- Investigate source host interacting with CA RPC interface.
- Is the account expected to perform this action?
- Machine accounts rarely request authentication certificates.
- Pivot:
- Source host → inspect execution of ntlmrelayx or Certipy.
- Account → verify authentication pattern and privileges.
- Network → inspect coercion activity preceding certificate enrollment.
- Confirm exploitation
- Determine whether certificate was used for PKINIT authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| project TimeGenerated, Requester, CertificateTemplate, SubjectUserName
SecurityEvent
| where EventID == 4624 and LogonType == 3
| project TimeGenerated, TargetUserName, IpAddress
EQL
any where event.code == "4886"
Sigma
title: Suspicious Certificate Enrollment via RPC
id: adcs-esc11-detection
status: experimental
description: Detects certificate issuance potentially related to NTLM relay via RPC enrollment
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- Requester
- CertificateTemplate
falsepositives:
- Legitimate certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1557
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Disable NTLM where possible | Prevent NTLM relay attacks | Critical | Eliminates relay capability. |
| Require LDAP/SMB signing | Enforce signing protections | High | Reduces relay opportunities. |
| RPC security hardening | Restrict access to CA RPC enrollment service | High | Limits exposure of relay target. |
| Monitoring | Alert on certificate issuance via RPC endpoint | High | Detects relay attempts. |
| Network segmentation | Restrict CA access to trusted systems | Medium | Reduces exposure to relay hosts. |