Sample rules
Windows Steal Authentication Certificates - ESC1 Abuse
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1)
Detection logic
`wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*"
| stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| fillnull
| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"
| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"
| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"
| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"
| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"
| eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer))
| fields - req_*
| rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name
| `windows_steal_authentication_certificates___esc1_abuse_filter`
Windows Steal Authentication Certificates - ESC1 Authentication
- source: splunk
- technicques:
- T1649
- T1550
Description
The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1).
Detection logic
`wineventlog_security` EventCode IN (4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*"
| stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId
| rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"
| rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"
| rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"
| rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"
| rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"
| rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name
| eval user = lower(coalesce(req_user_1,req_user_2))
| join user [
| search `wineventlog_security` EventCode=4768 CertThumbprint=*
| rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src
| fields auth_src,auth_dest,user ]
| eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90
| eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated after a suspicious certificate was issued for it by [".'src_user'."] using certificate request ID: ".'ssl_serial')
| fields - req_* auth_*
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates___esc1_authentication_filter`