This note documents detection patterns related to ADCS ESC4 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | ESC4 involves modification of certificate template permissions. Review changes to template ACLs such as enrollment rights or Write permissions. |
| Security | 4886 | Certificate issued | High | Certificate issuance following template modification may indicate exploitation. |
| Security | 4887 | Certificate request approved | Medium | Suspicious approvals shortly after template changes. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained after template abuse may be used for PKINIT authentication. |
| Security | 4624 | Successful logon | High | Certificate-based authentication may follow template modification. |
| Sysmon | 1 | Process creation | Medium | Execution of tools like Certipy, Certify, or PowerView to modify template permissions. |
| Sysmon | 3 | Network connection | Medium | Connections to domain controller or CA during exploitation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Template ACL modification | Changes to enrollment or write permissions on certificate templates | Critical | Core configuration change enabling ESC4 exploitation. |
| Low privilege account gaining template rights | Unexpected delegation of enrollment rights to non-admin users | High | Indicates attacker manipulation of template ACLs. |
| Certificate enrollment shortly after ACL change | Certificates issued soon after template permission modification | Critical | Suggests attacker modified template then enrolled certificate. |
| Authentication using certificate | User authenticating via PKINIT after template abuse | High | Indicates certificate-based impersonation. |
| Administrative activity after authentication | Privilege escalation actions following certificate-based login | Critical | Attacker leveraging certificate for domain compromise. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC4 by modifying template ACLs. |
| Certify | Used to request certificates after template permissions are modified. |
| PowerView | Modifies AD object ACLs including certificate templates. |
| BloodHound | Identifies paths allowing template modification. |
| Rubeus | Uses issued certificates to request Kerberos tickets. |
Relevant Artifacts
- Domain controller Security logs (5136, 4886)
- Certificate Authority logs (4886, 4887)
- Certificate template configuration
- AD object ACL change history
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry detecting certificate abuse tools
- Prefetch artifacts showing execution of Certipy or PowerView
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1098 Account Manipulation
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifying certificate template ACLs.
- What host generated the event?
- Identify the workstation modifying the template object.
- Is the account expected to perform this action?
- Template modifications should normally only occur from PKI administrators.
- Pivot:
- Source host → inspect execution of Certipy, Certify, or PowerView.
- Account → verify permission changes and enrollment activity.
- Network → analyze PKINIT authentication events following template modification.
- Confirm exploitation
- Determine whether attacker issued certificate after modifying template permissions.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where ObjectDN contains "Certificate Templates"
| project TimeGenerated, SubjectUserName, ObjectDN, AttributeLDAPDisplayName
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
EQL
any where event.code == "5136"
Sigma
title: Suspicious Certificate Template Permission Modification
id: adcs-esc4-detection
status: experimental
description: Detects modification of certificate template permissions which may enable ESC4 exploitation
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate PKI administrative operations
level: high
tags:
- attack.persistence
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Template ACL protection | Restrict who can modify certificate template permissions | Critical | Prevents attackers enabling vulnerable templates. |
| PKI administration control | Limit PKI administrative privileges to dedicated accounts | High | Reduces attack surface. |
| Template auditing | Regularly audit certificate template ACLs | High | Detects unauthorized permission changes. |
| Monitoring | Alert on Event 5136 involving certificate templates | High | Early detection of configuration tampering. |
| AD security reviews | Review delegation rights in AD periodically | High | Identifies risky permissions enabling ESC4. |