Analytics Story: Windows Certificate Services

Description

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.

Why it matters

The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Certutil exe certificate extraction None TTP
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer TTP
Detect Certify With PowerShell Script Block Logging Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell TTP
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data TTP
Windows Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates - ESC1 Abuse Steal or Forge Authentication Certificates TTP
Windows Steal Authentication Certificates - ESC1 Authentication Steal or Forge Authentication Certificates, Use Alternate Authentication Material TTP
Windows Steal Authentication Certificates Certificate Issued Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Certificate Request Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates CertUtil Backup Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates CS Backup Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Export Certificate Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Export PfxCertificate Steal or Forge Authentication Certificates Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log CAPI2 70 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
Windows Event Log CertificateServicesClient 1007 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4876 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4886 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4887 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1