{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/certificate_abuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory Certificate Services","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["adcs","certificate_abuse","privilege_escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Active Directory Certificate Services (AD CS) through ESC1 (Enterprise Subordinate Certification Authority 1) authentication. The technique involves exploiting misconfigured certificate templates to issue certificates with Subject Alternative Names (SANs), which are then used for authentication. This can lead to privilege escalation and complete environment compromise. The detection focuses on Windows Security Event Logs, specifically Event ID 4887 for certificate issuance and Event ID 4768 for Kerberos authentication using the issued certificate. It is critical for defenders because successful exploitation allows attackers to impersonate legitimate users and services, gaining unauthorized access and potentially escalating privileges to domain administrator. The activity is often associated with tools like Certipy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AD CS server with improperly configured certificate templates that allow for SAN spoofing (e.g., ESC1 template).\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like Certipy or Certify to request a certificate based on a vulnerable template. The request includes a Subject Alternative Name (SAN) that matches a target user\u0026rsquo;s User Principal Name (UPN).\u003c/li\u003e\n\u003cli\u003eThe AD CS server issues a certificate with the specified SAN, allowing it to be used for authentication. Windows Security Event 4887 is logged.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the issued certificate into their user context on the attacking machine.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the certificate to request a Kerberos Ticket Granting Ticket (TGT) for the target user. Windows Security Event 4768 is logged.\u003c/li\u003e\n\u003cli\u003eThe Kerberos TGT is successfully obtained, enabling the attacker to authenticate as the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the impersonated user\u0026rsquo;s privileges to access sensitive resources, escalate privileges, or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of AD CS via ESC1 authentication abuse can lead to complete domain compromise. Attackers can gain unauthorized access to sensitive data, escalate privileges to domain administrator, and move laterally across the network. This can result in data breaches, system downtime, and significant financial losses. The impact is especially severe in environments with critical infrastructure or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable enhanced Audit Logging on AD CS and within Group Policy Management for CS servers (reference: SpecterOps Certified Pre-Owned whitepaper).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AD CS ESC1 Certificate Authentication Abuse\u0026rdquo; to your SIEM and tune for your environment to detect Event ID 4887 and 4768 activity indicative of certificate abuse.\u003c/li\u003e\n\u003cli\u003eReview and harden certificate templates to prevent SAN spoofing (reference: SpecterOps Certified Pre-Owned whitepaper).\u003c/li\u003e\n\u003cli\u003eMonitor Event ID 4768 for Kerberos authentication events with certificates, and correlate them with recent certificate issuance events (Event ID 4887).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026ldquo;Detect Kerberos Authentication with Newly Issued Certificate\u0026rdquo; to identify authentication events shortly after certificate issuance, to detect related Event ID 4768 activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Event ID 4887 where certificates are issued with Subject Alternative Names (SANs) containing UPNs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T18:00:35Z","date_published":"2026-05-28T18:00:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-adcs-esc1/","summary":"This analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.","title":"Windows AD CS ESC1 Certificate Authentication Abuse","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-adcs-esc1/"}],"language":"en","title":"CraftedSignal Threat Feed — Certificate_abuse","version":"https://jsonfeed.org/version/1.1"}