Portfolio: malcolmcybersec-io.pages.dev
Date: 21/2/24 ~ Creator: Malcolm L.
In this breakdown, I created an overview of ADCS concepts, incorporating adversaries attack path for abusing misconfigurations in ADCS (Active Directory Certificate Services) to gain DA (Domain Admin) rights within a network. Additionally, I built a detection rule based on KQL syntax that you can input into any XDR/SIEM solution of your choice.
MITRE ATT&CK: Severity: Critical
| Technique ID | Title | Technique |
|---|---|---|
| T1649 | Credential Access | Steal or Forge Authentication Certificates |
https://www.crowe.com/cybersecurity-watch/exploiting-ad-cs-a-quick-look-at-esc1-esc8
# Author: Malcolm L. 0xM
#Add the detection query below to your secuirty solution to mitigate/detect unauthorized access aginst CA servers in your internal ORG.
#Note:If your security tool does not accept KQL, convert the syntax to the acceptable language.
#Scope: Set to all endpoints or specific device groups. Frequency: Every 12hr or 3hr.
SecurityEvent
| extend ADCSEventIds = dynamic([4898, 4890, 4896, 4887, 4886, 4882])
| where EventID = ADCSEventIds
| project ADCSEventIds, TimeGenerated, RequestedId, Requestor, SourceSystem, AccountName, CACertificateHash
| order by TimeGenerated desc
~ Digital certificates can be used to encrypt and digitally sign electronic documents and messages as well as for authentication of computers, users, or device accounts on the network.
Certificate Authorities: Issuing and managing digital certificates.
Certificate Template: A set of predefined settings and policies that determine how a digital certificate should be structured.
Is a privilege escalation attack that targets misconfigured certificate templates. It allows a low-privileged users to enroll and request a certificate on behalf of any domain user.
Remediation: Disable or delete the impersonated account from the CA under “Issued Certificates” →
“KDC_ERR_CLIENT_REVOKED”