This note documents detection patterns related to ADCS ESC6 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Certificate issued from a template where EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled. Review Requester, CertificateTemplate, and SAN values. |
| Security | 4887 | Certificate request approved | Medium | Manual approvals of suspicious requests containing alternate identities. |
| Security | 4768 | Kerberos TGT request | Critical | ESC6 abuse enables authentication via PKINIT using a certificate containing a malicious Subject Alternative Name. |
| Security | 4624 | Successful logon | High | Certificate-based authentication events shortly after certificate issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged session following certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of tools like Certipy, Certify, or Rubeus interacting with ADCS. |
| Sysmon | 3 | Network connection | Medium | Connections to CA server or domain controller during exploitation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Certificate with unusual SAN | Subject Alternative Name referencing privileged accounts | Critical | ESC6 allows attacker to supply SAN to impersonate another identity. |
| Low privilege user requesting certificate with SAN | Standard user requesting certificate with custom SAN attributes | High | May indicate exploitation of vulnerable template configuration. |
| PKINIT authentication following enrollment | Kerberos TGT request soon after certificate issuance | High | Suggests certificate being used for authentication. |
| Authentication from unusual host | User authenticating from workstation not typically associated with account | High | Potential attacker-controlled host. |
| Immediate privileged activity | Administrative activity after certificate-based authentication | Critical | Indicates certificate abuse leading to privilege escalation. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC6 certificate template misconfigurations. |
| Certify | Requests certificates using vulnerable templates. |
| Rubeus | Requests Kerberos tickets using certificates via PKINIT. |
| ForgeCert | Creates forged certificates when CA keys are compromised. |
| Certutil | Built-in tool used for certificate management and enrollment. |
Relevant Artifacts
- ADCS server Security logs (4886, 4887)
- Domain controller Security logs (4768, 4624, 4672)
- Certificate Authority database records
- Certificate request logs containing SAN attributes
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry identifying certificate abuse tooling
- Prefetch artifacts showing execution of Certipy or Certify
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events (4886) containing unusual SAN attributes.
- What host generated the event?
- Determine the system submitting the certificate request.
- Is the account expected to perform this action?
- Investigate low privilege accounts requesting certificates containing alternate identities.
- Pivot:
- Source host → inspect execution of Certipy or Certify.
- Account → verify whether SAN references another user identity.
- Network → inspect PKINIT authentication events following certificate issuance.
- Confirm exploitation
- Determine whether issued certificate was used to authenticate as another user.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| project TimeGenerated, Requester, CertificateTemplate, SubjectUserName
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious Certificate Enrollment With SAN
id: adcs-esc6-detection
status: experimental
description: Detects suspicious certificate enrollment containing alternate identities
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- Requester
- CertificateTemplate
falsepositives:
- Legitimate certificate requests with SAN attributes
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Template configuration | Disable EDITF_ATTRIBUTESUBJECTALTNAME2 where not required | Critical | Prevents attackers specifying arbitrary SAN values. |
| Enrollment permissions | Restrict certificate enrollment rights | High | Limits access to vulnerable templates. |
| Template auditing | Regularly audit certificate templates for SAN configuration | High | Detects ESC6 exposure. |
| Monitoring | Alert on certificate issuance containing unusual SAN entries | High | Early detection of exploitation attempts. |
| PKI hardening | Restrict administrative access to ADCS infrastructure | High | Reduces risk of certificate abuse. |