This note documents detection patterns related to ADCS ESC9 within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Certificate issued from template missing security extension checks (ESC9). Review CertificateTemplate and SubjectUserName. |
| Security | 4887 | Certificate request approved | Medium | Unexpected approvals may accompany exploitation. |
| Security | 4768 | Kerberos TGT request | Critical | Certificate issued via ESC9 may be used through PKINIT authentication shortly after enrollment. |
| Security | 4624 | Successful logon | High | Certificate-based authentication after issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged session established after certificate authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of Certipy, Certify, or Rubeus. |
| Sysmon | 3 | Network connection | Medium | Connections to CA server or domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Certificate issued without security extension enforcement | Templates missing szOID_NTDS_CA_SECURITY_EXT | Critical | ESC9 relies on missing security extension validation. |
| Certificate issued for privileged account by low privilege requester | Mismatch between Requester and SubjectUserName | Critical | Indicates impersonation attempt. |
| PKINIT authentication shortly after issuance | TGT request event after certificate issuance | High | Suggests certificate-based authentication abuse. |
| Authentication from unusual host | User authenticating from host not normally used | High | Possible attacker host. |
| Administrative activity following authentication | ACL changes, account modifications | Critical | Indicates escalation using forged certificate. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Enumerates and exploits ESC9 certificate template vulnerabilities. |
| Certify | Requests certificates from vulnerable templates. |
| Rubeus | Uses issued certificates for PKINIT Kerberos authentication. |
| ForgeCert | Used if attacker controls CA private key. |
| Impacket | Supports certificate-based authentication workflows. |
Relevant Artifacts
- Domain controller Security logs (4768, 4624, 4672)
- ADCS server Security logs (4886, 4887)
- Certificate Authority database
- Certificate template configuration
- Sysmon logs (1, 3)
- PKINIT authentication telemetry
- EDR telemetry detecting certificate abuse tools
- Prefetch artifacts for Certipy or Certify
MITRE ATT&CK References
- T1649 Steal or Forge Authentication Certificates
- T1550 Use Alternate Authentication Material
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify certificate issuance events 4886 from vulnerable templates.
- What host generated the event?
- Determine source system requesting certificate.
- Is the account expected to perform this action?
- Investigate mismatches between Requester and SubjectUserName.
- Pivot:
- Source host → inspect execution of Certipy or Certify.
- Account → inspect authentication method used after certificate issuance.
- Network → inspect PKINIT authentication events.
- Confirm exploitation
- Determine whether certificate was used to authenticate to domain services.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| summarize count() by CertificateTemplate, Requester, SubjectUserName, bin(TimeGenerated, 10m)
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious ADCS Certificate Issuance ESC9
id: adcs-esc9-detection
status: experimental
description: Detects suspicious certificate issuance potentially related to ESC9
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- CertificateTemplate
- Requester
- SubjectUserName
falsepositives:
- Legitimate certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Template configuration | Ensure security extension enforcement is enabled | Critical | Prevents ESC9 abuse. |
| Enrollment permissions | Restrict certificate enrollment rights | High | Limits template abuse. |
| Template auditing | Regularly review template configuration | High | Detects vulnerable templates. |
| Monitoring | Alert on certificate issuance for privileged identities | High | Early detection. |
| PKI hardening | Restrict administrative access to ADCS infrastructure | High | Reduces certificate abuse risk. |