Active Directory Certificate Services Denied Certificate Enrollment Request

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Sigma rule (View on GitHub)

 1title: Active Directory Certificate Services Denied Certificate Enrollment Request
 2id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
 3status: experimental
 4description: |
 5    Detects denied requests by Active Directory Certificate Services.
 6    Example of these requests denial include issues with permissions on the certificate template or invalid signatures.    
 7references:
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
 9    - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
10author: '@SerkinValery'
11date: 2024-03-07
12tags:
13    - attack.credential-access
14    - attack.t1553.004
15logsource:
16    product: windows
17    service: system
18detection:
19    selection:
20        Provider_Name: 'Microsoft-Windows-CertificationAuthority'
21        EventID: 53
22    condition: selection
23falsepositives:
24    - Unknown
25level: low

References

Related rules

to-top