Detecting ADCS / Certificate Attacks
Status: Scaffold — content in progress
Paired Attacks: ESC1 · ESC4–ESC8 · Certificate Theft
DRL Level: DRL-4
Detection Confidence: Medium (ADCS logging is often not enabled by default)
Required Telemetry
| Source | Event / Field | Notes |
|---|---|---|
| ADCS CA Audit Log | Event 4886 (cert requested), 4887 (cert issued), 4888 (cert denied) | Must enable CA auditing |
| Windows Security Log (DC) | Event 4768 with CertIssuerName field | Detects PKINIT authentication |
| Certsrv IIS logs | HTTP requests to /certsrv/ | Detects web enrollment |
Enable CA auditing:
certutil -setreg CA\AuditFilter 127
net stop certsvc && net start certsvc
Key Detection Scenarios
Scenario 1 — Low-privilege user enrolling in high-privilege template
4886: Certificate Request
RequesterName: lowprivuser@itdr.lab
TemplateName: VulnerableTemplate
SubjectAltName: Administrator@itdr.lab ← user ≠ SAN = suspicious
Scenario 2 — PKINIT with certificate (should be rare unless smart cards deployed)
4768: Kerberos TGT Request
CertIssuerName: ITDR-CA
PreAuthType: 16 (PKINIT)
Scenario 3 — ESC8 Relay (cert enrolled via HTTP for machine account)
ADCS IIS log: POST /certsrv/certfnsh.asp
Source IP: [attacker relay IP]
Template: DomainController
Sigma Rule (ESC1 Detection)
title: Suspicious Certificate Enrollment — SAN Mismatch
status: experimental
description: Detects certificate requests where Subject Alternative Name (SAN) does not match the requesting user.
logsource:
product: windows
service: security
detection:
selection:
EventID: 4887
filter_normal:
# Normal: SAN matches requester (e.g., user requesting cert for themselves)
# Suspicious: SAN contains a different account, especially Admin/privileged
condition: selection
falsepositives:
- Enrollment agents legitimately enrolling on behalf of other users
- Smart card enrollment workflows
level: high
Cross-Links
| Topic | Link |
|---|---|
| ADCS Protocol | adcs |
| ESC1 Attack | esc1-template-abuse |
| Detection Framework | detection-framework |