This note documents detection patterns related to ADCS ESC3 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Certificate issuance from a template allowing Certificate Request Agent usage may indicate ESC3 abuse. Review CertificateTemplate and Requester. |
| Security | 4887 | Certificate request approved | High | Suspicious approval of certificate requests involving enrollment agent templates. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained via ESC3 can be used for PKINIT authentication to obtain TGTs. |
| Security | 4624 | Successful logon | High | Certificate-based logon events may appear shortly after enrollment agent abuse. |
| Security | 4672 | Special privileges assigned | High | Privileged session established following certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of certificate exploitation tools such as Certipy, Certify, or Rubeus. |
| Sysmon | 3 | Network connection | Medium | Connections from attacker workstation to CA or domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Enrollment agent certificate issued | Certificate template allowing Certificate Request Agent EKU issued unexpectedly | Critical | ESC3 abuse requires attacker obtaining enrollment agent certificate. |
| Certificate issued on behalf of another user | Enrollment agent requesting certificate for different identity | Critical | Strong indicator of impersonation. |
| Low privilege account requesting agent certificate | Standard user requesting high privilege certificate template | High | May indicate ADCS misconfiguration exploitation. |
| PKINIT authentication following certificate issuance | Kerberos TGT request shortly after certificate enrollment | High | Indicates certificate was used for authentication. |
| Privileged activity after authentication | Administrative actions after certificate logon | Critical | Indicates attacker leveraging impersonated identity. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC3 vulnerable templates. |
| Certify | Requests certificates via vulnerable enrollment agent templates. |
| Rubeus | Uses certificates to request Kerberos tickets via PKINIT. |
| ForgeCert | Used when attacker obtains CA private keys. |
| Impacket | Supports certificate authentication abuse scenarios. |
Relevant Artifacts
- ADCS Security logs (4886, 4887)
- Domain controller logs (4768, 4624, 4672)
- Certificate Authority database records
- Certificate template configuration
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry identifying certificate abuse tools
- Prefetch artifacts for Certipy or Certify execution
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events (4886) involving enrollment agent templates.
- What host generated the event?
- Determine which host requested the certificate from the CA.
- Is the account expected to perform this action?
- Enrollment agent certificates are normally restricted to specific administrative workflows.
- Pivot:
- Source host → inspect execution of Certipy or other ADCS exploitation tools.
- Account → verify whether certificates were issued for other identities.
- Network → analyze PKINIT authentication events following certificate issuance.
- Confirm exploitation
- Determine whether attacker used enrollment agent certificate to impersonate other users.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
| order by count_ desc
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious ADCS Enrollment Agent Certificate Issuance
id: adcs-esc3-detection
status: experimental
description: Detects suspicious issuance of enrollment agent certificates potentially indicating ESC3 exploitation
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- CertificateTemplate
- Requester
falsepositives:
- Legitimate certificate enrollment workflows
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Enrollment agent restrictions | Limit which accounts can request enrollment agent certificates | Critical | Prevents impersonation via agent certificates. |
| Template auditing | Audit certificate templates with Certificate Request Agent EKU | High | Identifies ESC3 exposure. |
| Enrollment permissions | Restrict certificate enrollment rights | High | Reduces attack surface. |
| Monitoring | Alert on enrollment agent certificate issuance | High | Detects exploitation attempts. |
| PKI hardening | Restrict administrative access to ADCS infrastructure | High | Protects CA environment. |