Techniques
Sample rules
Windows Steal Authentication Certificates Certificate Request
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 “Certificate Services received a certificate request”.
Detection logic
`wineventlog_security` EventCode=4886
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_certificate_request_filter`