Source: Black Hills Information Security, Inc.
Author: BHIS
URL: https://www.blackhillsinfosec.com/detecting-adcs-privilege-escalation/
https://www.blackhillsinfosec.com/detecting-adcs-privilege-escalation/
ONE SENTENCE SUMMARY:
Misconfigurations in ADCS can create vulnerabilities; enabling auditing and using Sentinel helps detect and alert on credential escalations.
MAIN POINTS:
- ADCS manages certificates for systems, users, and applications in enterprises.
- Misconfigurations can lead to critical vulnerabilities in Active Directory environments.
- Default settings do not enable ADCS event logging; it must be manually configured.
- ESC1 technique allows low privileged accounts to gain elevated access.
- Important security event IDs for detection are 4886 and 4887.
- Microsoft Sentinel uses Kusto Query Language for identifying escalation activities.
- Alerts can be configured in Sentinel to notify on detected attacks.
- Sentinel alerts using Event ID mismatches for privilege misuse.
- Additional event IDs include 4900 for security permission changes and 4899 for template updates.
- Ensuring proper auditing is crucial for detection and alert configuration.
TAKEAWAYS:
- Enable ADCS auditing manually to detect exploitation.
- Use Microsoft Sentinel for continuous monitoring and alerting.
- Security event IDs are essential for tracking privilege escalation.
- Regularly update alert rules to incorporate new vulnerabilities.
- Stay informed about patches and updates for security enhancements.