Certificate Private Key Acquired
Detects when an application acquires a certificate private key
Sigma rule (View on GitHub)
1title: Certificate Private Key Acquired
2id: e2b5163d-7deb-4566-9af3-40afea6858c3
3status: test
4description: Detects when an application acquires a certificate private key
5references:
6 - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
7author: Zach Mathis
8date: 2023/05/13
9tags:
10 - attack.credential_access
11 - attack.t1649
12logsource:
13 product: windows
14 service: capi2
15 definition: 'Requirements: The CAPI2 Operational log needs to be enabled'
16detection:
17 selection:
18 EventID: 70 # Acquire Certificate Private Key
19 condition: selection
20falsepositives:
21 - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
22level: medium
References
-
Explore the common certificate abuses leveraged by current and relevant adversaries in the wild, the multiple methods they use to obtain certificates, how to gather relevant logs and ways to mitigate adversaries stealing certificates.
Read More
Related rules
- Certificate Exported From Local Certificate Store
- HackTool - Certify Execution
- HackTool - Certipy Execution
- Certificate Exported Via PowerShell
- Kerberos .kirbi Ticket Files