HackTool - ADCSPwn Execution

Oct 23, 2025 · attack.collection attack.credential-access attack.t1557.001 ·

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Sigma rule (View on GitHub)

 1title: HackTool - ADCSPwn Execution
 2id: cd8c163e-a19b-402e-bdd5-419ff5859f12
 3status: test
 4description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
 5references:
 6    - https://github.com/bats3c/ADCSPwn
 7author: Florian Roth (Nextron Systems)
 8date: 2021-07-31
 9modified: 2023-02-04
10tags:
11    - attack.collection
12    - attack.credential-access
13    - attack.t1557.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - ' --adcs '
21            - ' --port '
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

GitHub - bats3c/ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.

A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service. - bats3c/ADCSPwn

Read More

HackTool - ADCSPwn Execution

Sigma rule (View on GitHub)

References

GitHub - bats3c/ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.

Related rules