This note documents detection patterns related to ADCS ESC8 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | ESC8 involves NTLM relay to ADCS HTTP enrollment endpoints. Review Requester, CertificateTemplate, and SubjectUserName. |
| Security | 4887 | Certificate request approved | Medium | Approval of certificate request via web enrollment endpoint. |
| Security | 4768 | Kerberos TGT request | High | Certificate obtained via relay is typically used via PKINIT immediately after issuance. |
| Security | 4624 | Successful logon | High | Certificate-based logon after enrollment may indicate successful abuse. |
| Security | 4672 | Special privileges assigned | High | Privileged session established following certificate authentication. |
| Sysmon | 3 | Network connection | Critical | Connections from attacker relay host to ADCS HTTP endpoints (certsrv). |
| Sysmon | 1 | Process creation | Medium | Execution of ntlmrelayx, Certipy relay module, or similar tools. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| NTLM authentication to ADCS web endpoint | Requests to /certsrv/ with NTLM authentication | Critical | ESC8 relies on NTLM relay to HTTP enrollment endpoint. |
| Authentication coercion preceding request | PrinterBug, PetitPotam, DFSCoerce | Critical | These attacks force machine authentication to attacker relay host. |
| Certificate issued to machine account unexpectedly | Machine account requesting authentication certificate | High | Often occurs during relay exploitation. |
| Certificate issuance from unusual source host | Enrollment requests from workstation not typically interacting with CA | High | Indicates attacker-controlled relay host. |
| Privileged activity after certificate authentication | Administrative actions following certificate logon | Critical | Attacker leveraging certificate obtained via relay. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Supports NTLM relay to ADCS enrollment endpoints. |
| ntlmrelayx | Impacket tool used to relay NTLM authentication to HTTP ADCS endpoint. |
| PetitPotam | Coerces machine authentication to attacker relay host. |
| PrinterBug | Triggers authentication to attacker-controlled system. |
| Coercer | Framework automating coercion attacks. |
Relevant Artifacts
- Domain controller Security logs (4768, 4624)
- ADCS server logs (4886, 4887)
- IIS logs on Certificate Authority server
- HTTP enrollment endpoint logs (
/certsrv/) - Sysmon logs (1, 3)
- Network telemetry showing NTLM relay behavior
- EDR telemetry identifying relay tooling
- Prefetch artifacts showing ntlmrelayx or Certipy execution
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 NTLM Relay
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events 4886 via web enrollment.
- What host generated the event?
- Inspect IIS logs for source IP interacting with
/certsrv/.
- Inspect IIS logs for source IP interacting with
- Is the account expected to perform this action?
- Machine accounts rarely request authentication certificates.
- Pivot:
- Source host → inspect execution of ntlmrelayx or Certipy.
- Account → verify authentication pattern and privileges.
- Network → inspect coercion activity preceding certificate issuance.
- Confirm exploitation
- Determine whether certificate was used for PKINIT authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| project TimeGenerated, Requester, CertificateTemplate, SubjectUserName
SecurityEvent
| where EventID == 4624 and LogonType == 3
| project TimeGenerated, TargetUserName, IpAddress
EQL
any where event.code == "4886"
Sigma
title: Suspicious Certificate Enrollment via Web Endpoint
id: adcs-esc8-detection
status: experimental
description: Detects certificate enrollment events potentially related to NTLM relay to ADCS
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- Requester
- CertificateTemplate
falsepositives:
- Legitimate web-based certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1557
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Disable HTTP enrollment | Disable /certsrv/ web enrollment endpoint | Critical | Removes relay target entirely. |
| Require HTTPS with EPA | Enable Extended Protection for Authentication | High | Prevents NTLM relay to IIS endpoints. |
| SMB signing and NTLM protections | Enforce NTLM relay protections | High | Reduces ability to relay credentials. |
| Monitoring | Alert on certificate issuance from web enrollment | High | Detects relay attempts. |
| Network controls | Restrict access to CA web interface | Medium | Limits exposure of enrollment endpoint. |