Skip to content

Latest commit

 

History

History
87 lines (58 loc) · 2.76 KB

T1556.001-WIN.md

File metadata and controls

87 lines (58 loc) · 2.76 KB
Raw

ADCS Certificate Requested via Web Interface

Metadata

ID: 0xFF-0294-ADCS_Certificate_Requested_via_Web_Interface

OS: WindowsServer

FP Rate: Medium

ATT&CK Tags

Tactic Technique Subtechnique Technique Name
TA0006 - Credential Access T1556 Modify Authentication Process

Utilized Data Sources

Log Provider Event ID Event Name ATT&CK Data Source ATT&CK Data Component
WindowsLog_Application W3CIISLog Certificate request via web interface Application Log Application Log Content

Technical description of the attack

​This query uses IIS logs to identify certificates requested via the web interface. In the first step, ADCS servers are listed by looking for an ADCS specific Uri Stem in the IIS logs events. A hard-coded ADCS server list can also be provided as client variable instead (adcs_server_list). In a second step, requests to these servers done via the web interface are identified by looking for POST to a '/certsrv/certfnsh.asp' Uri.

Permission required to execute the technique

User

Detection description

This query looks for ADCS certificates being requested via the web interface. This technique can be used by an attacker to modify authentication processes, in order to evade detection or elevate privileges.

Considerations

This action is not malicious on its own, but should be quite rare. This event must be correlated with other events.

False Positives

This rule will create noise if the web interface is a common way to request certificates in a given environment.

Suggested Response Actions

investigate whether the affected user requested the certificate for a valid business purpose.

Detection Blind Spots

None expected.

References

Detection

Language: Kusto

Platform: Sentinel

Query:

let timeframe = 1h;
// List ADCS servers.
let ADCSsrv = dynamic(["ADCS01.test.lab", "ADCS02.test.lab"]);
// Cert request via web interface.
W3CIISLog
| where ingestion_time() >= ago(timeframe)
| where Computer in~ (ADCSsrv)
| where not(csMethod in~ ("GET","HEAD"))
| where url_decode(csUriStem) =~ "/certsrv/certfnsh.asp"
let timeframe = 1h;
// List ADCS servers.
let CESCEPServers = dynamic(["ADCS01.test.lab", "ADCS02.test.lab"]);
// Cert request via web interface.
W3CIISLog
| where ingestion_time() >= ago(timeframe)
| where Computer in~ (CESCEPServers)
| where url_decode(csUriStem) contains "_CES_Kerberos/service.svc" or url_decode(csUriQuery) contains "_CEP_Kerberos/service.svc"
| where not(csUserAgent =~ "MS-WebServices/1.0")