Windows Steal Authentication Certificates - ESC1 Abuse

Author: Steven Dick
Source: upstream

The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1649` Steal or Forge Authentication Certificates

Event coverage

Provider	Event ID	Title
Security-Auditing	4886	Certificate Services received a certificate request.
Security-Auditing	4887	Certificate Services approved a certificate request and issued a certificate.

Stages and Predicates

Stage 1: `search`

search Attributes="*CertificateTemplate:*" Attributes="*SAN:*upn*" EventCode IN (4886, 4887)

Stage 2: `stats`

stats BY Computer, EventCode, Requester, Attributes, RequestId

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `fillnull`

fillnull

Stage 6: `rex`

rex field=Attributes ...

Stage 7: `rex`

rex field=Attributes ...

Stage 8: `rex`

rex field=Attributes ...

Stage 9: `rex`

rex field=Attributes ...

Stage 10: `rex`

rex field=Requester ...

Stage 11: `eval`

eval ... using (Computer, EventCode, req_dest_1, req_dest_2, req_src)

Stage 12: `fields`

fields req_*

Stage 13: `rename`

rename

Stage 14: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Attributes`	eq	`"CertificateTemplate:"` corpus 2 (splunk 2) `"SAN:upn*"` corpus 2 (splunk 2)
`EventCode`	in	`4886` `4887` corpus 2 (splunk 2)

Windows Steal Authentication Certificates - ESC1 Abuse

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search

Stage 4: search

Stage 5: fillnull

Stage 6: rex

Stage 7: rex

Stage 8: rex

Stage 9: rex

Stage 10: rex

Stage 11: eval

Stage 12: fields

Stage 13: rename

Stage 14: search