Techniques
Sample rules
Windows Steal Authentication Certificates Certificate Issued
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 ‘Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.
Detection logic
`wineventlog_security` EventCode=4887
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_certificate_issued_filter`