This note documents detection patterns related to ADCS ESC2 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Review CertificateTemplate and Requester. ESC2 involves templates allowing Any Purpose / Subordinate CA certificates which can be abused for authentication. |
| Security | 4887 | Certificate request approved | High | Suspicious approval of requests for powerful templates capable of signing other certificates. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained via ESC2 can be used for PKINIT authentication. Look for TGT requests following certificate issuance. |
| Security | 4624 | Successful logon | High | Certificate-based authentication events shortly after certificate issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged session established after certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of certificate abuse tools such as Certipy or Certify. |
| Sysmon | 3 | Network connection | Medium | Connections to CA or domain controller during certificate exploitation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Enrollment in dangerous template | Certificate template allowing Any Purpose EKU | Critical | Allows attacker to generate certificates usable for authentication. |
| Unexpected certificate usage | User authenticating with certificate instead of password | High | Possible certificate abuse scenario. |
| Certificate issued to unusual accounts | Certificates issued to service accounts or administrators unexpectedly | High | May indicate attacker enrollment. |
| Certificate usage from new host | Authentication from workstation not previously associated with account | High | Indicates attacker-controlled host. |
| Immediate privileged actions | Administrative activity following certificate authentication | Critical | Indicates attacker using certificate for escalation. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC2 certificate templates. |
| Certify | Requests certificates from vulnerable ADCS templates. |
| ForgeCert | Used if attacker obtains CA key material. |
| Rubeus | Uses certificates for Kerberos PKINIT authentication. |
| Impacket | Supports certificate authentication workflows. |
Relevant Artifacts
- ADCS Security logs (4886, 4887)
- Domain controller logs (4768, 4624)
- Certificate Authority database records
- Certificate template configuration
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry detecting certificate abuse tools
- Prefetch artifacts showing execution of Certipy / Certify
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events (4886) for templates allowing broad EKUs.
- What host generated the event?
- Determine system requesting certificate from CA.
- Is the account expected to perform this action?
- Investigate low privilege accounts requesting powerful certificate templates.
- Pivot:
- Source host → inspect execution of Certipy or Certify.
- Account → check authentication method after certificate issuance.
- Network → inspect PKINIT authentication events.
- Confirm exploitation
- Determine whether issued certificate was used to authenticate to domain services.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
| order by count_ desc
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious ADCS Certificate Enrollment ESC2
id: adcs-esc2-detection
status: experimental
description: Detects suspicious certificate issuance which may indicate ESC2 exploitation
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- CertificateTemplate
- Requester
falsepositives:
- Legitimate certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Template EKU restriction | Avoid templates with Any Purpose EKU | Critical | Limits certificate abuse scenarios. |
| Enrollment permissions | Restrict enrollment rights to trusted groups | High | Prevents low privilege users requesting dangerous certificates. |
| Template auditing | Regularly review certificate template configuration | High | Detects vulnerable template settings. |
| Monitoring | Alert on certificate issuance for privileged identities | High | Early detection of abuse. |
| PKI hardening | Restrict access to Certificate Authority infrastructure | High | Prevents attackers abusing CA functionality. |