Detectionhightest
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Orlinum, BlueDefenZerCreated Wed Nov 17Updated Sun Dec 25bfbd3291-de87-4b7c-88a2-d6a5deb28668windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.
Detection Logic
Detection Logic4 selectors
detection:
selection10:
EventID: 4898
TemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection11:
TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
selection20:
EventID: 4899
NewTemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection21:
NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
condition: (selection10 and selection11) or (selection20 and selection21)False Positives
Administrator activity
Proxy SSL certificate with subject modification
Smart card enrollement
References
MITRE ATT&CK
Rule Metadata
Rule ID
bfbd3291-de87-4b7c-88a2-d6a5deb28668
Status
test
Level
high
Type
Detection
Created
Wed Nov 17
Modified
Sun Dec 25
Author
Path
rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml
Raw Tags
attack.privilege-escalationattack.credential-access