Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Sigma rule (View on GitHub)
1title: Active Directory Certificate Services Denied Certificate Enrollment Request
2id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
3status: experimental
4description: |
5 Detects denied requests by Active Directory Certificate Services.
6 Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
7references:
8 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
9 - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
10author: '@SerkinValery'
11date: 2024/03/07
12tags:
13 - attack.credential_access
14 - attack.t1553.004
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Microsoft-Windows-CertificationAuthority'
21 EventID: 53
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Event ID 53 — AD CS Certificate Request (Enrollment) Processing Article 08/26/2009 Applies To: Windows Server 2008 R2 One of the primary functions of a certification authority (CA) is to evaluate c...
Read More -
Event Source:Microsoft-Windows-CertificationAuthorityEvent ID:53 (0x35)Event log:ApplicationEvent type:WarningSymbolic Name:MSG_DN_CERT_DENIED_WITH_INFOEvent text (English):Active Directory Certifi...
Read More
Related rules
- Cisco Crypto Commands
- No Suitable Encryption Key Found For Generating Kerberos Ticket
- Potential Credential Dumping Activity Via LSASS
- HackTool - Certify Execution
- HackTool - Certipy Execution