Detecting ADCS Privilege Escalation
ID: 53b3f6ae-7522-524c-a107-c770981c3025
STIX ID: report--53b3f6ae-7522-524c-a107-c770981c3025
Feed Name: Black Hills Infosec Blog
Threat Score
This blog explains how misconfigurations in Active Directory Certificate Services (ADCS) can enable privilege escalation (e.g., ESC1) by allowing low-privileged accounts to request certificates for privileged users, and it provides step-by-step guidance to enable ADCS auditing and build Microsoft Sentinel detections (KQL queries, alert rules) for relevant event IDs and behaviors.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.