Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Sigma rule (View on GitHub)
1title: Active Directory Certificate Services Denied Certificate Enrollment Request
2id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
3status: test
4description: |
5 Detects denied requests by Active Directory Certificate Services.
6 Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
7references:
8 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
9 - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
10author: '@SerkinValery'
11date: 2024-03-07
12tags:
13 - attack.credential-access
14 - attack.defense-evasion
15 - attack.t1553.004
16logsource:
17 product: windows
18 service: system
19detection:
20 selection:
21 Provider_Name: 'Microsoft-Windows-CertificationAuthority'
22 EventID: 53
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
-
Applies To: Windows Server 2008 R2 One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certifi...
Read More -
Event Source:Microsoft-Windows-CertificationAuthorityEvent ID:53 (0x35)Event log:ApplicationEvent type:WarningSymbolic Name:MSG_DN_CERT_DENIED_WITH_INFOEvent text (English):Active Directory Certifi...
Read More
Related rules
- Cisco Crypto Commands
- Mount Execution With Hidepid Parameter
- Renamed BrowserCore.EXE Execution
- Possible DC Shadow Attack
- CreateDump Process Dump