FalconFriday — Detecting ADCS web services abuse — 0xFF20

Post-Image

FalconFriday — Detecting ADCS web services abuse — 0xFF20

One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this vulnerability rather than detecting it is the preferred approach by a long shot, we’ve seen cases where mitigating the vulnerability is not feasible.

In this FalconFriday we focus on detecting irregular access to the various ADCS web services exposed, rather than detecting the NTLM relaying itself. The three ways to access ADCS over HTTP are:

1 The “web enrollment” application, reachable at http://<ADCS>/certsrv/
2 The “certificate enrollment service” (CES). A web service reachable at https://<ADCS>/<CANAME>_CES_Kerberos/service.svc
3 The NDES services, reachable at https://<ADCS>/CertSrv/mscep/

Since we want to detect abuse of these web interfaces, you need to make sure that your IIS access logs of these servers are onboarded into Sentinel.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday