Techniques
Sample rules
Windows Steal Authentication Certificates CryptoAPI
- source: splunk
- technicques:
- T1649
Description
The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is “Acquire Certificate Private Key”. STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike.
Detection logic
`capi2_operational` EventCode=70
| xmlkv UserData_Xml
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_cryptoapi_filter`