ADCS Certificate Template Configuration Vulnerability with Risky EKU

 1title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
 2id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
 3status: test
 4description: Detects certificate creation with template allowing risk permission subject and risky EKU
 5references:
 6    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
 7author: Orlinum , BlueDefenZer
 8date: 2021-11-17
 9modified: 2022-12-25
10tags:
11    - attack.privilege-escalation
12    - attack.credential-access
13logsource:
14    product: windows
15    service: security
16    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.
17detection:
18    selection10:
19        EventID: 4898
20        TemplateContent|contains:
21            - '1.3.6.1.5.5.7.3.2'
22            - '1.3.6.1.5.2.3.4'
23            - '1.3.6.1.4.1.311.20.2.2'
24            - '2.5.29.37.0'
25    selection11:
26        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
27
28    selection20:
29        EventID: 4899
30        NewTemplateContent|contains:
31            - '1.3.6.1.5.5.7.3.2'
32            - '1.3.6.1.5.2.3.4'
33            - '1.3.6.1.4.1.311.20.2.2'
34            - '2.5.29.37.0'
35    selection21:
36        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
37
38    condition: (selection10 and selection11) or (selection20 and selection21)
39falsepositives:
40    - Administrator activity
41    - Proxy SSL certificate with subject modification
42    - Smart card enrollement
43level: high