Tag
high
advisory
Windows AD CS ESC1 Certificate Authentication Abuse
2 rules 2 TTPsThis analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.
Active Directory Certificate Services +3
adcs
certificate_abuse
privilege_escalation
windows
2r
2t
high
advisory
Suspicious Certificate Issuance and Authentication via AD CS ESC1
2 rules 2 TTPsThis analytic detects suspicious certificate issuance with a Subject Alternative Name (SAN) via Active Directory Certificate Services (AD CS) followed by immediate authentication, using Windows Security Event Logs (EventCode 4887 and 4768), which, if successful, can lead to privilege escalation and environment compromise.
Active Directory Certificate Services
esc1
certificate_abuse
privilege_escalation
windows
2r
2t