HackTool - ADCSPwn Execution

About the rule

Rule Type

Standard

Rule Description

ADCSPwn is a known post-exploitation and privilege escalation tool commonly used by attackers to extract credentials and compromise Active Directory Certificate Services (AD CS) infrastructure. While its primary function is to automate a wide range of AD CS attack techniques, attackers often execute ADCSPwn on endpoints after gaining initial access to escalate privileges, move laterally, or gain unauthorized persistent access to certificate templates and domain controllers. This rule is designed to detect the execution of ADCSPwn or its known variants such as process creation, suspicious command-line arguments, or file system activity.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution of ADCSPwn → Credential theft → Lateral movement → Impact

Impact

• Escalation of privileges
• Credential theft (including domain administrator accounts)
• Certificate and Kerberos ticket forgery
• Domain persistence and long-term compromise

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Collection: Adversary-in-the-Middle - LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001), Credential Access: Adversary-in-the-Middle - LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you're notified of the execution or activity of ADCSPwn, enabling you to review process activity, analyze indicators of credential access, and promptly detect attempted abuses targeting Active Directory Certificate Services. This supports proactive risk monitoring and rapid investigation of privilege escalation events.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule may trigger during legitimate penetration testing, red teaming, or security engineering exercises that invoke ADCSPwn or similar AD CS enumeration tools. Review user, host context, and authorized activities for legitimacy.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update detection rules, refine privileged user monitoring, and enhance protections and monitoring around AD CS infrastructure.

Mitigation