← Back to Explore
splunk_escuTTP
Windows Steal Authentication Certificates - ESC1 Authentication
The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.
Detection Query
`wineventlog_security`
EventCode IN (4887)
Attributes="*SAN:*upn*"
Attributes="*CertificateTemplate:*"
| stats
count
min(_time) as firstTime
max(_time) as lastTime
values(name) as name
values(status) as status
values(Subject) as ssl_subject
values(SubjectKeyIdentifier) as ssl_hash
by Computer, EventCode, Requester, Attributes, RequestId
| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"
| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"
| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"
| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"
| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"
| rename
Attributes as object_attrs
EventCode as signature_id
name as signature
RequestId as ssl_serial
Requester as ssl_subject_common_name
| eval user = lower(coalesce(req_user_1, req_user_2))
| join user [
search `wineventlog_security`
EventCode=4768
CertThumbprint=*
| rename
TargetUserName as user
Computer as auth_dest
IpAddress as auth_src
| fields auth_src, auth_dest, user
]
| eval
src = upper(coalesce(auth_src, req_src)),
dest = upper(coalesce(auth_dest, req_dest_1, req_dest_2)),
risk_score = 50
| eval flavor_text = case(
signature_id=="4887",
"User account [" . user . "] authenticated after a suspicious certificate was issued for it by [" . src_user . "] using certificate request ID: " . ssl_serial
)
| fields - req_* auth_*
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates___esc1_authentication_filter`Author
Steven Dick
Created
2026-03-17
Data Sources
Windows Event Log Security 4887Windows Event Log Security 4768
References
Tags
Windows Certificate ServicesCompromised Windows Host
Raw Content
name: Windows Steal Authentication Certificates - ESC1 Authentication
id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e
version: 8
date: '2026-03-17'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.
data_source:
- Windows Event Log Security 4887
- Windows Event Log Security 4768
search: |-
`wineventlog_security`
EventCode IN (4887)
Attributes="*SAN:*upn*"
Attributes="*CertificateTemplate:*"
| stats
count
min(_time) as firstTime
max(_time) as lastTime
values(name) as name
values(status) as status
values(Subject) as ssl_subject
values(SubjectKeyIdentifier) as ssl_hash
by Computer, EventCode, Requester, Attributes, RequestId
| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"
| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"
| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"
| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"
| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"
| rename
Attributes as object_attrs
EventCode as signature_id
name as signature
RequestId as ssl_serial
Requester as ssl_subject_common_name
| eval user = lower(coalesce(req_user_1, req_user_2))
| join user [
search `wineventlog_security`
EventCode=4768
CertThumbprint=*
| rename
TargetUserName as user
Computer as auth_dest
IpAddress as auth_src
| fields auth_src, auth_dest, user
]
| eval
src = upper(coalesce(auth_src, req_src)),
dest = upper(coalesce(auth_dest, req_dest_1, req_dest_2)),
risk_score = 50
| eval flavor_text = case(
signature_id=="4887",
"User account [" . user . "] authenticated after a suspicious certificate was issued for it by [" . src_user . "] using certificate request ID: " . ssl_serial
)
| fields - req_* auth_*
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates___esc1_authentication_filter`
how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.
known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function.
references:
- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
- https://github.com/ly4k/Certipy#esc1
- https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/
drilldown_searches:
- name: View the detection results for - "$src$" and "$dest$"
search: '%original_detection_search% | search src = "$src$" dest = "$dest$" src_user = "$src_user$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Possible AD CS ESC1 authentication on $dest$
risk_objects:
- field: src
type: system
score: 50
- field: dest
type: system
score: 50
- field: src_user
type: user
score: 50
- field: user
type: user
score: 50
threat_objects:
- field: ssl_hash
type: tls_hash
- field: ssl_serial
type: certificate_serial
tags:
analytic_story:
- Windows Certificate Services
- Compromised Windows Host
asset_type: Endpoint
mitre_attack_id:
- T1649
- T1550
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog