HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
Sigma rule (View on GitHub)
1title: HackTool - ADCSPwn Execution
2id: cd8c163e-a19b-402e-bdd5-419ff5859f12
3status: test
4description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
5references:
6 - https://github.com/bats3c/ADCSPwn
7author: Florian Roth (Nextron Systems)
8date: 2021-07-31
9modified: 2023-02-04
10tags:
11 - attack.credential-access
12 - attack.t1557.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - ' --adcs '
20 - ' --port '
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service. - bats3c/ADCSPwn
Read More
Related rules
- RottenPotato Like Attack Pattern
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU