Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Hour |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
Active Directory Certificate Services Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A certificate template was updated with a possible misconfiguration. This may indicate the exploitation of misconfigured certificate template access control (ESC4).
Attacker's Goals
An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
Investigative actions
- Review the AD CS configuration for vulnerable templates and EKU settings.
- Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.
Variations
Certificate template was updated to be vulnerable to AD CS ESC attackCertificate template was updated with a misconfiguration configuration