This note documents detection patterns related to ADCS ESC5 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | ESC5 involves modification of PKI objects in the Configuration partition (e.g., NTAuthCertificates or CA objects). Review ObjectDN and AttributeLDAPDisplayName. |
| Security | 4886 | Certificate issued | High | Certificates issued after PKI configuration modification may indicate abuse. |
| Security | 4887 | Certificate request approved | Medium | Unexpected certificate approvals after PKI object changes. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained through malicious PKI configuration may be used via PKINIT. |
| Security | 4624 | Successful logon | High | Certificate-based authentication events following configuration changes. |
| Sysmon | 1 | Process creation | Medium | Execution of ADCS exploitation tools such as Certipy, Certify, or PowerView. |
| Sysmon | 3 | Network connection | Medium | Connections to domain controllers or CA servers during configuration manipulation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Modification of NTAuthCertificates | Changes to trusted CA certificates in AD | Critical | Attackers may add rogue CA certificates enabling authentication with forged certificates. |
| Changes in PKI configuration objects | Modification of objects in CN=Public Key Services,CN=Services,CN=Configuration | Critical | Key location for ESC5 exploitation. |
| Unexpected certificate trust relationships | New CA certificates appearing in NTAuth store | High | Indicates attacker may be introducing rogue certificate authority. |
| Certificate authentication after configuration change | User authenticates via certificate shortly after PKI modification | High | Possible forged certificate usage. |
| Privileged activity after authentication | Administrative actions performed shortly after certificate logon | Critical | Indicates attacker leveraging forged authentication certificates. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and abuses PKI misconfigurations including ESC5. |
| Certify | Used to interact with certificate services and enumerate vulnerabilities. |
| PowerView | Modifies AD objects including PKI configuration containers. |
| ForgeCert | Used to generate forged certificates if attacker controls trusted CA. |
| Rubeus | Requests Kerberos tickets using forged certificates. |
Relevant Artifacts
- Domain controller Security logs (5136)
- ADCS logs (4886, 4887)
- Configuration partition objects in AD
- NTAuthCertificates container
- Certificate Authority trust configuration
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry identifying certificate abuse tools
- Prefetch artifacts showing Certipy / PowerView execution
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1098 Account Manipulation
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifying PKI configuration objects.
- What host generated the event?
- Determine which host modified the PKI container in AD.
- Is the account expected to perform this action?
- Only PKI administrators should modify CA trust configuration.
- Pivot:
- Source host → inspect execution of Certipy or PowerView.
- Account → review privileges and recent permission changes.
- Network → inspect certificate-based authentication events.
- Confirm exploitation
- Determine whether rogue CA certificates were added and used for authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where ObjectDN contains "Public Key Services"
| project TimeGenerated, SubjectUserName, ObjectDN, AttributeLDAPDisplayName
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
EQL
any where event.code == "5136"
Sigma
title: Suspicious PKI Configuration Modification
id: adcs-esc5-detection
status: experimental
description: Detects modification of PKI configuration objects which may enable ESC5 abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate PKI administration
level: high
tags:
- attack.persistence
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| PKI object protection | Restrict modification of PKI configuration containers | Critical | Prevents attackers altering CA trust relationships. |
| PKI auditing | Audit changes to Public Key Services objects in AD | High | Detects ESC5 attempts early. |
| CA trust monitoring | Regularly review trusted CA certificates in NTAuth store | High | Ensures rogue CAs are not introduced. |
| Administrative separation | Use dedicated PKI admin accounts | High | Reduces misuse of privileges. |
| Security monitoring | Alert on Event 5136 for PKI objects | High | Provides early warning of configuration tampering. |