LoFP / false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.

Techniques

• T1649

Sample rules

Windows Steal Authentication Certificates CertUtil Backup

• source: splunk
• technicques:
  • T1649

Description

The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_certutil_backup_filter`

Windows Steal Authentication Certificates CS Backup

• source: splunk
• technicques:
  • T1649

Description

The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.

Detection logic

`wineventlog_security` EventCode=4876
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_cs_backup_filter`