LoFP / false positives will be generated based on normal certificates issued. leave enabled to generate risk, as this is meant to be an anomaly analytic.

Techniques

• T1649

Sample rules

Windows Steal Authentication Certificates Certificate Issued

• source: splunk
• technicques:
  • T1649

Description

The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 ‘Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.

Detection logic

`wineventlog_security`  EventCode=4887 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_certificate_issued_filter`