detection.wiki

Detection rules › Splunk

Windows Steal Authentication Certificates Certificate Request

Status
production
Severity
low
Group by
Attributes, Requester, action, dest, name
Author
Michael Haag, Splunk
Source
github.com/splunk/security_content

The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1649 Steal or Forge Authentication Certificates

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4886Certificate Services received a certificate request.

Rule body splunk

name: Windows Steal Authentication Certificates Certificate Request
id: 747d7800-2eaa-422d-b994-04d8bb9e06d0
version: 9
creation_date: '2023-02-06'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.
data_source:
    - Windows Event Log Security 4886
search: |-
    `wineventlog_security` EventCode=4886
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest, name, Requester,
           action, Attributes
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_steal_authentication_certificates_certificate_request_filter`
how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.
known_false_positives: False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.
references:
    - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A certificate was requested by $dest$.
analytic_story:
    - Windows Certificate Services
asset_type: Endpoint
mitre_attack_id:
    - T1649
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`wineventlog_security` EventCode=4886

Stage 2: stats

| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, name, Requester,
       action, Attributes

Stage 3: search

| `security_content_ctime(firstTime)`

Stage 4: search

| `security_content_ctime(lastTime)`

Stage 5: search

| `windows_steal_authentication_certificates_certificate_request_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4886 corpus 2 (splunk 2)