false positives will be generated based on normal certificate store backups. leave enabled to generate risk, as this is meant to be an anomaly analytic. if cs backups are not normal, enable as ttp.

Techniques

T1649

Sample rules

Windows Steal Authentication Certificates CS Backup

source: splunk
technicques:
- T1649

Description

The following analytic identifies when the Active Directory Certificate Services store is backed up utilizing Event ID 4876. This event triggers whenever the backup occurs in the UI of CertSrv.msc or via CertUtil.exe -BackupDB occurs.

Detection logic

`wineventlog_security` EventCode=4876
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_cs_backup_filter`

Windows Steal Authentication Certificates CertUtil Backup

source: splunk
technicques:
- T1649

Description

The following analytic is focused on CertUtil.exe performing a backup of the Certificate Store. Typically, administrators may perform this task to migrate or perform backups of the store, however it may be found uncommon in most organizations.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_steal_authentication_certificates_certutil_backup_filter`