5 min read

Breaking the Chain: Defending Against Certificate Services Abuse

Deep dive into Active Directory Certificate Services (AD CS) attacks and comprehensive detection strategies for ESC1-ESC8 and beyond.

adcs certificates active-directory privilege-escalation detection splunk

Originally published on the Splunk Security Blog
Read the full article: Breaking the Chain: Certificate Services Abuse

Why AD CS Matters

Active Directory Certificate Services is often:

  • Misconfigured by default
  • Overlooked by defenders
  • Goldmine for attackers

Certificate abuse can lead to domain compromise.

The ESC Attack Classes

ESC1: Misconfigured Certificate Templates

Users can request certificates with arbitrary SANs, allowing impersonation.

ESC2: Any Purpose EKU

Templates with “Any Purpose” can be used for anything, including authentication.

ESC3: Enrollment Agent Templates

Request certificates on behalf of other users.

ESC4: Vulnerable Template ACLs

Modify templates to enable other ESC attacks.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2

CA setting allows SAN specification in any request.

ESC7: Vulnerable CA ACLs

Modify CA configuration to enable attacks.

ESC8: NTLM Relay to AD CS Web Enrollment

Relay authentication to obtain certificates.

Detection Strategies

Certificate Requests with SANs

index=windows EventCode=4886
| rex field=Message "Subject Alternative Name:\s*(?<san>.*)"
| where isnotnull(san)
| table _time, Computer, RequesterName, san, TemplateName

Certificate Enrollment

index=windows EventCode=4887
| table _time, Computer, RequesterName, TemplateName, CertificateSerialNumber

Template Modifications

index=windows EventCode=4899 OR EventCode=4900
| table _time, Computer, SubjectUserName, TemplateName, AttributeName

Tools

  • Certify - Find and abuse misconfigurations
  • Certipy - Python AD CS toolkit
  • PSPKIAudit - PowerShell auditing

Defense Recommendations

  • Audit certificate templates
  • Remove unnecessary enrollment permissions
  • Monitor certificate requests
  • Disable EDITF_ATTRIBUTESUBJECTALTNAME2
  • Require CA certificate manager approval

Read the full analysis: Breaking the Chain: Certificate Services Abuse

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub