LoFP / false positives will be generated based on normal certificate requests. leave enabled to generate risk, as this is meant to be an anomaly analytic.

Techniques

• T1649

Sample rules

Windows Steal Authentication Certificates Certificate Request

• source: splunk
• technicques:
  • T1649

Description

The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 “Certificate Services received a certificate request”.

Detection logic

`wineventlog_security` EventCode=4886 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_certificate_request_filter`