{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/esc1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory Certificate Services"],"_cs_severities":["high"],"_cs_tags":["esc1","certificate_abuse","privilege_escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Active Directory Certificate Services (AD CS) through the ESC1 attack vector. This involves the issuance of a suspicious certificate containing a Subject Alternative Name (SAN) followed by its immediate use for authentication. The activity is detected by correlating Windows Security Event Logs, specifically Event ID 4887 (certificate issuance) and Event ID 4768 (Kerberos authentication). This technique exploits improperly configured certificate templates within AD CS, which can lead to unauthorized privilege escalation and full compromise of the Windows environment. The activity is significant as a successful attacker can gain domain administrator privileges using tools like Certipy, potentially leading to lateral movement, data exfiltration, or deployment of ransomware. The detection leverages the Splunk ES datamodel and is based on work published by SpecterOps and others.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a user account or gains access to a system with permissions to request certificates.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies vulnerable certificate templates that allow for Subject Alternative Name (SAN) spoofing, specifically user principal name (UPN).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a certificate request, forging the SAN to impersonate a high-privilege user (e.g., Domain Admin).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious certificate request to the AD CS server, triggering Event ID 4887, which indicates a certificate with a SAN was issued.\u003c/li\u003e\n\u003cli\u003eThe AD CS server, if misconfigured, issues the certificate based on the tampered request.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the issued certificate to request a Kerberos Ticket Granting Ticket (TGT) for the impersonated user, generating Windows Event ID 4768 with the certificate thumbprint.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates as the high-privilege user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to perform malicious activities, such as lateral movement, data exfiltration, or domain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete domain compromise. By exploiting misconfigured certificate templates, attackers can escalate privileges to domain administrator, gaining full control over the Active Directory environment. This allows them to move laterally within the network, access sensitive data, deploy ransomware, or disrupt critical services. The impact can be widespread, affecting all systems and users within the compromised domain, causing significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable enhanced audit logging on AD CS and within Group Policy Management for CS server as outlined in the Certified Pre-Owned whitepaper (reference URL).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Certificate Issuance with SAN\u0026quot; to detect Event ID 4887 with attributes indicative of ESC1 exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Kerberos Authentication with Newly Issued Certificate\u0026quot; to detect Event ID 4768 that correlates with recent certificate issuance activity.\u003c/li\u003e\n\u003cli\u003eReview and remediate any certificate templates that allow for arbitrary SAN values to prevent ESC1 exploitation as described in the SpecterOps whitepaper.\u003c/li\u003e\n\u003cli\u003eThrottle correlation by RequestId/ssl_serial to reduce false positives and improve detection fidelity, as mentioned in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-esc1-certificate-abuse/","summary":"This analytic detects suspicious certificate issuance with a Subject Alternative Name (SAN) via Active Directory Certificate Services (AD CS) followed by immediate authentication, using Windows Security Event Logs (EventCode 4887 and 4768), which, if successful, can lead to privilege escalation and environment compromise.","title":"Suspicious Certificate Issuance and Authentication via AD CS ESC1","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esc1-certificate-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Esc1","version":"https://jsonfeed.org/version/1.1"}