KQL Search

Query Details

HomeAI ToolsDevice Query

Enrollment Attempt With Adcsesc1honeypot Template

Query

id: f40b688b-e270-40f7-b88a-7f12e6a1b1e6
name: Enrollment attempt with AD CS ESC1 honeypot template
version: 1.0.1
kind: NRT
description: |-
  An AD CS honeypot template that is vulnerable to the ESC1 was requested. This is a high fidelity alert and indicator that the used user account was compromised.
  The requestor device can also be considered compromised.

  https://posts.specterops.io/certified-pre-owned-d95910965cd2
severity: Medium
tactics:
  - CredentialAccess
relevantTechniques:
  - T1649
query: |-
  SecurityEvent
  // Report all certificate request to the honeypot PKI
  | where EventID == 4886
  | parse EventData with * 'RequestClientInfo">' * 'User: ' RequestUser: string 'Machine:' RequestMachine: string 'Process:' RequestProcess: string "</" *
  | parse EventData with * 'CertificateTemplate">' CertificateTemplate: string "</" *
  // Check if the request was denied as planned
  | lookup (SecurityEvent
      | where EventID == 4888
      | project DeniedTimeGenerated = TimeGenerated, RequestId, DeniedActivity = Activity)
      on RequestId
  | extend DeniedActivity = iff(isempty(DeniedActivity), "Request was NOT denied", "Request was denied")
  | extend AlertSeverity = iff(DeniedActivity == "Request was NOT denied", "High", "Medium")
  | extend Hostname = split(RequestMachine, '.')[0]
  | extend HostDomainName = split(RequestMachine, '.')[1]
  | extend RequestUserDomain = split(RequestUser, @'\')[0]
  | extend RequestUserName = split(RequestUser, @'\')[1]
  | project
      TimeGenerated,
      Computer,
      Activity,
      RequestUser,
      RequestMachine,
      RequestProcess,
      CertificateTemplate,
      Subject,
      DeniedTimeGenerated,
      DeniedActivity,
      RequestId,
      EventID,
      EventData,
      AlertSeverity,
      Hostname,
      HostDomainName,
      RequestUserDomain,
      RequestUserName
alertDetailsOverride:
  alertSeverityColumnName: AlertSeverity
  alertDynamicProperties: []
customDetails:
  RequestId: RequestId
  Subject: Subject
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: NTDomain
        columnName: RequestUserDomain
      - identifier: Name
        columnName: RequestUserName
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: Hostname
      - identifier: DnsDomain
        columnName: HostDomainName
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5d
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails:
      - DisplayName
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult

Explanation

This query is designed to detect suspicious activity related to Active Directory Certificate Services (AD CS) by monitoring for requests to a honeypot certificate template that is vulnerable to a specific attack (ESC1). Here's a simplified breakdown of what the query does:

  1. Source of Data: It looks at security events, specifically those with an EventID of 4886, which indicates a certificate request.

  2. Parsing Event Data: The query extracts details from the event data, such as the user who made the request, the machine and process used, and the certificate template requested.

  3. Checking Request Status: It checks if the certificate request was denied by looking for a corresponding event with EventID 4888. If the request was not denied, it raises the alert severity to "High"; otherwise, it remains "Medium".

  4. Extracting Additional Information: The query further breaks down the requestor's machine and user details into components like hostname, domain name, and user domain.

  5. Projecting Relevant Information: It selects specific fields to include in the output, such as the time of the event, computer name, activity, and alert severity.

  6. Alert Configuration: The query sets up alerts with custom details and maps entities like accounts and hosts for further analysis. It also configures incident creation and grouping based on account details.

  7. Suppression and Incident Management: Suppression is disabled, meaning alerts will not be automatically suppressed, and incidents will be created and grouped based on specific criteria.

Overall, this query is used to identify potentially compromised user accounts and devices by detecting unauthorized certificate requests to a honeypot template, which could indicate malicious activity.

Details

Fabian Bader profile picture

Fabian Bader

Released: August 24, 2025

Tables

SecurityEvent

Keywords

SecurityEventCertificateTemplateRequestUserRequestMachineRequestProcessRequestIdEventIDEventDataAlertSeverityHostnameHostDomainNameRequestUserDomainRequestUserNameComputerActivitySubjectDeniedTimeGeneratedDeniedActivityAccountHostNTDomainNameHostNameDnsDomain

Operators

SecurityEventwhereparselookuponextendiffisemptysplitproject

Actions