Techniques
Sample rules
ADCS Certificate Template Configuration Vulnerability
- source: sigma
- technicques:
Description
Detects certificate creation with template allowing risk permission subject
Detection logic
condition: selection1 or selection2
selection1:
EventID: 4898
TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
selection2:
EventID: 4899
NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
ADCS Certificate Template Configuration Vulnerability with Risky EKU
- source: sigma
- technicques:
Description
Detects certificate creation with template allowing risk permission subject and risky EKU
Detection logic
condition: (selection10 and selection11) or (selection20 and selection21)
selection10:
EventID: 4898
TemplateContent|contains:
- 1.3.6.1.5.5.7.3.2
- 1.3.6.1.5.2.3.4
- 1.3.6.1.4.1.311.20.2.2
- 2.5.29.37.0
selection11:
TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
selection20:
EventID: 4899
NewTemplateContent|contains:
- 1.3.6.1.5.5.7.3.2
- 1.3.6.1.5.2.3.4
- 1.3.6.1.4.1.311.20.2.2
- 2.5.29.37.0
selection21:
NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT