LoFP / false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.

Techniques

• T1649

Sample rules

Windows Steal Authentication Certificates CryptoAPI

• source: splunk
• technicques:
  • T1649

Description

The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate’s private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization’s security.

Detection logic

`capi2_operational` EventCode=70 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml 
| rename Computer as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_cryptoapi_filter`