-
Detecting ADCS attacks
You can detect an ADCS attack by monitoring for Kerberos EventID 4768 with ‘PreAuthType’ == ’16’ (TGT based on user certificate) and ‘TicketOptions’ startswith ‘0x4080’ (hardcoded value in multiple attacker tools). PreAuthType 16 can (probably) be used as a detection method on its own, but it still needs to be tested if this gives false…
Detection methods, KQL & more