sigmalowHunting

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Detection Query

selection1:
  EventID: 4898
  TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
selection2:
  EventID: 4899
  NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
condition: selection1 or selection2

Author

Orlinum , BlueDefenZer

Created

2021-11-17

Data Sources

windowssecurity

Platforms

windows

References

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

Tags

attack.privilege-escalationattack.credential-access

Raw Content

title: ADCS Certificate Template Configuration Vulnerability
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
status: test
description: Detects certificate creation with template allowing risk permission subject
references:
    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
logsource:
    product: windows
    service: security
    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.
detection:
    selection1:
        EventID: 4898
        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    selection2:
        EventID: 4899
        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    condition: selection1 or selection2
falsepositives:
    - Administrator activity
    - Proxy SSL certificate with subject modification
    - Smart card enrollement
level: low