Techniques
Sample rules
Windows Steal Authentication Certificates CS Backup
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies when the Active Directory Certificate Services store is backed up utilizing Event ID 4876. This event triggers whenever the backup occurs in the UI of CertSrv.msc or via CertUtil.exe -BackupDB occurs.
Detection logic
`wineventlog_security` EventCode=4876
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_cs_backup_filter`
Windows Steal Authentication Certificates CertUtil Backup
- source: splunk
- technicques:
- T1649
Description
The following analytic is focused on CertUtil.exe performing a backup of the Certificate Store. Typically, administrators may perform this task to migrate or perform backups of the store, however it may be found uncommon in most organizations.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_certutil_backup_filter`