ADCS Certificate Template Configuration Vulnerability

calendar Dec 27, 2022 · attack.privilege_escalation attack.credential_access  ·
Share on: linkedin copy

Detects certificate creation with template allowing risk permission subject

Sigma rule (View on GitHub)

 1title: ADCS Certificate Template Configuration Vulnerability
 2id: 5ee3a654-372f-11ec-8d3d-0242ac130003
 3status: test
 4description: Detects certificate creation with template allowing risk permission subject
 5references:
 6    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
 7author: Orlinum , BlueDefenZer
 8date: 2021/11/17
 9modified: 2022/12/25
10tags:
11    - attack.privilege_escalation
12    - attack.credential_access
13logsource:
14    product: windows
15    service: security
16    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.
17detection:
18    selection1:
19        EventID: 4898
20        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
21    selection2:
22        EventID: 4899
23        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
24    condition: selection1 or selection2
25falsepositives:
26    - Administrator activity
27    - Proxy SSL certificate with subject modification
28    - Smart card enrollement
29level: low

References

  • UȨ¬š`:´Líàopþ ÿ гüyz1_Tíàëå«@—+€ÑN»!< 3ñP]<(}�B–Gïª`bÀdò5)h4Ãð™Ü ¦Zàfæò˜d�ÖQ·xÈt O*³Cx*sùút<¨ckø´hGÏ7L@‰oB"á¸Váĺª&dSL²yFa°NTLH\JÒõ$aªù"e(�Ò…B[ÃóŸÅ BŠÑ…`„ÊŠŽ/14Ž2Ø[...


    Read More

Related rules

to-top