LoFP / false positives may be present in some instances of legitimate applications requiring to export certificates. filter as needed.

Techniques

• T1649

Sample rules

Windows Steal Authentication Certificates CryptoAPI

• source: splunk
• technicques:
  • T1649

Description

The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is “Acquire Certificate Private Key”. STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike.

Detection logic

`capi2_operational` EventCode=70 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml 
| rename Computer as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_cryptoapi_filter`