Windows Steal Authentication Certificates - ESC1 Authentication

Author: Steven Dick
Source: upstream

The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1550` Use Alternate Authentication Material
Credential Access	`T1649` Steal or Forge Authentication Certificates
Lateral Movement	`T1550` Use Alternate Authentication Material

Event coverage

Provider	Event ID	Title
Security-Auditing	4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	4887	Certificate Services approved a certificate request and issued a certificate.

Stages and Predicates

Stage 1: `search`

search Attributes="*CertificateTemplate:*" Attributes="*SAN:*upn*" EventCode=4887

Stage 2: `stats`

stats BY Computer, EventCode, Requester, Attributes, RequestId

Stage 3: `rex`

rex field=Attributes ...

Stage 4: `rex`

rex field=Attributes ...

Stage 5: `rex`

rex field=Attributes ...

Stage 6: `rex`

rex field=Attributes ...

Stage 7: `rex`

rex field=Requester ...

Stage 8: `rename`

rename

Stage 9: `eval`

eval ... using (req_user_1, req_user_2)

Stage 10: `join`

join type=inner (...)

Stage 11: `eval`

eval ... using (auth_dest, auth_src, req_dest_1, req_dest_2, req_src)

Stage 12: `eval`

eval ... using (signature_id, src_user, ssl_serial, user)

Stage 13: `fields`

fields auth_*, req_*

Stage 14: `search`

search

Stage 15: `search`

search

Stage 16: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Attributes`	eq	`"CertificateTemplate:"` corpus 2 (splunk 2) `"SAN:upn*"` corpus 2 (splunk 2)
`CertThumbprint`	eq	`*`
`EventCode`	eq	`4768` corpus 10 (splunk 10)
`EventCode`	in	`4887` corpus 2 (splunk 2)

Windows Steal Authentication Certificates - ESC1 Authentication

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: rex

Stage 4: rex

Stage 5: rex

Stage 6: rex

Stage 7: rex

Stage 8: rename

Stage 9: eval

Stage 10: join

Stage 11: eval

Stage 12: eval

Stage 13: fields

Stage 14: search

Stage 15: search

Stage 16: search