detection.wiki

Detection rules › Splunk

Windows Steal Authentication Certificates CS Backup

Status
production
Severity
low
Group by
Caller_Domain, action, dest, name, user
Author
Michael Haag, Splunk
Source
github.com/splunk/security_content

The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1649 Steal or Forge Authentication Certificates

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4876Certificate Services backup started.

Rule body splunk

name: Windows Steal Authentication Certificates CS Backup
id: a2f4cc7f-6503-4078-b206-f83a29f408a7
version: 9
creation_date: '2023-02-06'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.
data_source:
    - Windows Event Log Security 4876
search: |-
    `wineventlog_security` EventCode=4876
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest, name, action,
           Caller_Domain ,Caller_User_Name
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_steal_authentication_certificates_cs_backup_filter`
how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.
known_false_positives: False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.
references:
    - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: The Active Directory Certiciate Services was backed up on $dest$.
analytic_story:
    - Windows Certificate Services
asset_type: Endpoint
mitre_attack_id:
    - T1649
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`wineventlog_security` EventCode=4876

Stage 2: stats

| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, name, action,
       Caller_Domain ,Caller_User_Name

Stage 3: search

| `security_content_ctime(firstTime)`

Stage 4: search

| `security_content_ctime(lastTime)`

Stage 5: search

| `windows_steal_authentication_certificates_cs_backup_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4876