This note documents detection patterns related to ADCS ESC7 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | ESC7 involves modification of CA access control permissions. Review ObjectDN related to Certification Authorities and permission changes. |
| Security | 4886 | Certificate issued | High | Certificate issued after CA permission modification may indicate exploitation. |
| Security | 4887 | Certificate request approved | Medium | Unexpected approval of certificate requests shortly after CA ACL modification. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained through CA permission abuse may be used for PKINIT authentication. |
| Security | 4624 | Successful logon | High | Certificate-based authentication events following CA permission modification. |
| Security | 4672 | Special privileges assigned | High | Privileged session established after certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of tools such as Certipy, Certify, or PowerView to manipulate CA permissions. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| CA ACL modification | Changes to permissions on Certification Authority objects | Critical | Core indicator of ESC7 exploitation path. |
| Low privilege account granted CA rights | Unexpected delegation of ManageCA or ManageCertificates rights | High | Indicates attacker manipulation of CA permissions. |
| Certificate issuance shortly after ACL change | Certificates issued immediately following permission modification | Critical | Suggests attacker modified CA ACL then issued certificate. |
| Authentication using certificate | User authenticating via PKINIT after certificate issuance | High | Indicates certificate-based impersonation. |
| Privileged activity after authentication | Administrative actions after certificate logon | Critical | Attacker leveraging certificate for escalation. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC7 by modifying CA permissions. |
| Certify | Requests certificates after CA permissions are manipulated. |
| PowerView | Modifies Active Directory object ACLs including CA objects. |
| BloodHound / SharpHound | Identifies privilege paths allowing CA control. |
| Rubeus | Requests Kerberos tickets using issued certificates. |
Relevant Artifacts
- Domain controller Security logs (5136)
- ADCS server logs (4886, 4887)
- Certification Authority configuration objects
- CA security descriptor and ACL changes
- Sysmon logs (1)
- PKINIT authentication logs
- EDR telemetry identifying certificate abuse tooling
- Prefetch artifacts showing execution of Certipy or PowerView
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1098 Account Manipulation
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifying Certification Authority objects.
- What host generated the event?
- Identify workstation performing CA permission changes.
- Is the account expected to perform this action?
- Only PKI administrators normally modify CA ACLs.
- Pivot:
- Source host → inspect execution of Certipy, Certify, or PowerView.
- Account → verify permission escalation on CA objects.
- Network → analyze PKINIT authentication events after certificate issuance.
- Confirm exploitation
- Determine whether attacker issued certificate after gaining CA control.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where ObjectDN contains "Certification Authorities"
| project TimeGenerated, SubjectUserName, ObjectDN, AttributeLDAPDisplayName
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, bin(TimeGenerated, 10m)
EQL
any where event.code == "5136"
Sigma
title: Suspicious Certification Authority Permission Modification
id: adcs-esc7-detection
status: experimental
description: Detects modification of Certification Authority permissions potentially enabling ESC7 exploitation
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate PKI administrative operations
level: high
tags:
- attack.persistence
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| CA ACL protection | Restrict who can modify Certification Authority permissions | Critical | Prevents attackers gaining CA control. |
| PKI administration control | Use dedicated PKI admin accounts | High | Reduces misuse of privileges. |
| ACL auditing | Regularly audit CA security descriptors | High | Detects unauthorized permission changes. |
| Monitoring | Alert on Event 5136 involving CA objects | High | Early detection of CA tampering. |
| PKI hardening | Restrict access to ADCS servers | High | Reduces risk of certificate abuse. |