Detectionlowtest

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Orlinum, BlueDefenZerCreated Wed Nov 17Updated Sun Dec 255ee3a654-372f-11ec-8d3d-0242ac130003windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.

Detection Logic

detection:
    selection1:
        EventID: 4898
        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    selection2:
        EventID: 4899
        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    condition: selection1 or selection2

False Positives

Administrator activity

Proxy SSL certificate with subject modification

Smart card enrollement

References

Resolving title…

specterops.io

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0006 · Credential Access

Rule Metadata

Rule ID

5ee3a654-372f-11ec-8d3d-0242ac130003

Status

test

Level

low

Type

Detection

Created

Wed Nov 17

Modified

Sun Dec 25

Author

Orlinum, BlueDefenZer

Path

rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml

Raw Tags

attack.privilege-escalationattack.credential-access

View on GitHub