T1649 Steal or Forge Authentication Certificates Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CertTheftCLIKeywords = dynamic(["-exportpfx", "exportpfx", "crypto::certificates", "crypto::capi", "crypto::keys", "/export", "-pkcs12", "adcs", "certsrv", "certstore", "-repairstore", "-importpfx"]);
let KnownCertTheftTools = dynamic(["certify.exe", "certipy.exe", "sharpdpapi.exe", "sharpweb.exe", "certstealer.exe", "ghostpack"]);
let SensitiveExtensions = dynamic([".pfx", ".p12", ".pem", ".key"]);
// Detection 1: Process-based — certutil/certreq abuse and known tools
let ProcessDetections = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    (FileName =~ "certutil.exe" and ProcessCommandLine has_any (CertTheftCLIKeywords))
    or (FileName =~ "certreq.exe" and (ProcessCommandLine has "-submit" or ProcessCommandLine has "-retrieve"))
    or FileName has_any (KnownCertTheftTools)
    or ProcessCommandLine has_any ("crypto::certificates", "crypto::capi /patch", "crypto::keys /export", "sekurlsa::certificates")
  )
| extend DetectionSource = "ProcessEvent"
| extend SuspiciousIndicator = case(
    ProcessCommandLine has "exportpfx", "CertUtil Certificate Export",
    ProcessCommandLine has "crypto::certificates", "Mimikatz Cert Module",
    ProcessCommandLine has "crypto::capi", "Mimikatz CryptoAPI Patch",
    ProcessCommandLine has "crypto::keys", "Mimikatz Key Export",
    ProcessCommandLine has "sekurlsa::certificates", "Mimikatz LSA Cert Dump",
    FileName has_any (KnownCertTheftTools), "Known Cert Theft Tool",
    "Suspicious Certificate CLI Activity"
  )
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
    FileName, ProcessCommandLine, SuspiciousIndicator, FolderPath, DetectionSource;
// Detection 2: File-based — suspicious PFX/P12 written to non-standard locations
let FileDetections = DeviceFileEvents
| where TimeGenerated > ago(1d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName has_any (SensitiveExtensions)
| where not(FolderPath has_any (
    "C:\\Windows\\System32\\CertSrv",
    "C:\\ProgramData\\Microsoft\\Crypto",
    "C:\\Users\\All Users\\Microsoft\\Crypto",
    "C:\\Windows\\ServiceProfiles"
  ))
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "MicrosoftEdgeUpdate.exe")
| extend DetectionSource = "FileEvent"
| extend SuspiciousIndicator = "Certificate File Written to Non-Standard Location"
| project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName,
    InitiatingProcessFileName, FileName, FolderPath, SuspiciousIndicator, DetectionSource;
// Detection 3: AD CS enrollment anomalies from Security event log
let ADCSDetections = SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID in (4886, 4887, 4899, 4900)
| extend CertRequestDetails = parse_xml(EventData)
| where EventID in (4886, 4887) and SubjectUserName !endswith "$"
| extend DetectionSource = "SecurityEvent"
| extend SuspiciousIndicator = case(
    EventID == 4886, "AD CS Certificate Request Received (User Account)",
    EventID == 4887, "AD CS Certificate Issued to User Account",
    EventID == 4899, "AD CS Certificate Template Modified",
    EventID == 4900, "AD CS Certificate Template Security Updated",
    "AD CS Event"
  )
| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName,
    InitiatingProcessFileName = "", FileName = "", FolderPath = "",
    SuspiciousIndicator, DetectionSource;
union ProcessDetections, FileDetections, ADCSDetections
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceProcessEvents DeviceFileEvents SecurityEvent

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe
Security operations tooling (vulnerability scanners, certificate inventory tools) that enumerate certificate templates or stores
Developers testing code-signing workflows who export self-signed certificates in PFX format to non-standard directories

Splunk

spl

index=* earliest=-24h
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
[
  search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval match=if(
      (lower(Image) LIKE "%certutil.exe" AND (lower(CommandLine) LIKE "%-exportpfx%" OR lower(CommandLine) LIKE "%exportpfx%" OR lower(CommandLine) LIKE "%-pkcs12%" OR lower(CommandLine) LIKE "%certsrv%" OR lower(CommandLine) LIKE "%-repairstore%"))
      OR (lower(Image) LIKE "%certreq.exe" AND (lower(CommandLine) LIKE "%-submit%" OR lower(CommandLine) LIKE "%-retrieve%"))
      OR (lower(CommandLine) LIKE "%crypto::certificates%" OR lower(CommandLine) LIKE "%crypto::capi%" OR lower(CommandLine) LIKE "%crypto::keys%" OR lower(CommandLine) LIKE "%sekurlsa::certificates%")
      OR lower(Image) LIKE "%certify.exe"
      OR lower(Image) LIKE "%certipy.exe"
      OR lower(Image) LIKE "%sharpdpapi.exe"
    , 1, 0)
  | where match=1
  | fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
  | return Computer
]
| eval DetectionSource=case(
    EventCode=1, "Sysmon_ProcessCreate",
    EventCode=11, "Sysmon_FileCreate",
    EventCode IN (4886,4887,4899,4900), "Security_ADCS",
    1==1, "Unknown"
  )
| eval SuspiciousIndicator=case(
    EventCode=1 AND like(lower(CommandLine),"%exportpfx%"), "CertUtil Certificate Export",
    EventCode=1 AND like(lower(CommandLine),"%crypto::certificates%"), "Mimikatz Cert Module",
    EventCode=1 AND like(lower(CommandLine),"%crypto::capi%"), "Mimikatz CryptoAPI Patch",
    EventCode=1 AND like(lower(CommandLine),"%crypto::keys%"), "Mimikatz Key Export",
    EventCode=1 AND like(lower(CommandLine),"%sekurlsa::certificates%"), "Mimikatz LSA Cert Dump",
    EventCode=1 AND (like(lower(Image),"%certify.exe") OR like(lower(Image),"%certipy.exe") OR like(lower(Image),"%sharpdpapi.exe")), "Known Cert Theft Tool Execution",
    EventCode=1 AND like(lower(Image),"%certreq.exe"), "CertReq Submission/Retrieval",
    EventCode=11 AND (like(lower(TargetFilename),"%.pfx") OR like(lower(TargetFilename),"%.p12")), "Certificate File Created Outside System Path",
    EventCode=4886, "AD CS Certificate Request - User Account",
    EventCode=4887, "AD CS Certificate Issued - User Account",
    EventCode=4899, "AD CS Template Modified",
    EventCode=4900, "AD CS Template Security Updated",
    1==1, "Certificate Suspicious Activity"
  )
| eval AccountName=coalesce(User, SubjectUserName, AccountName)
| table _time, Computer, AccountName, Image, CommandLine, TargetFilename, SuspiciousIndicator, DetectionSource, EventCode
| sort - _time

| append
  [search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 earliest=-24h
   | where (like(lower(TargetFilename),"%.pfx") OR like(lower(TargetFilename),"%.p12") OR like(lower(TargetFilename),"%.pem") OR like(lower(TargetFilename),"%.key"))
   | where NOT (like(lower(TargetFilename),"%\\windows\\system32\\certsrv%") OR like(lower(TargetFilename),"%\\programdata\\microsoft\\crypto%") OR like(lower(TargetFilename),"%\\windows\\serviceprofiles%"))
   | where NOT (like(lower(Image),"%svchost.exe") OR like(lower(Image),"%lsass.exe"))
   | eval SuspiciousIndicator="Certificate File Written to Non-Standard Location", DetectionSource="Sysmon_FileCreate"
   | table _time, Computer, User, Image, CommandLine, TargetFilename, SuspiciousIndicator, DetectionSource
   | rename User AS AccountName]

| append
  [search index=* sourcetype="WinEventLog:Security" EventCode IN (4886,4887,4899,4900) earliest=-24h
   | where NOT like(SubjectUserName,"%$")
   | eval SuspiciousIndicator=case(
       EventCode=4886, "AD CS Certificate Request - User Account",
       EventCode=4887, "AD CS Certificate Issued - User Account",
       EventCode=4899, "AD CS Template Modified",
       EventCode=4900, "AD CS Template Security Updated",
       1==1, "AD CS Event"
     ), DetectionSource="Security_ADCS"
   | table _time, Computer, SubjectUserName, SuspiciousIndicator, DetectionSource, EventCode
   | rename SubjectUserName AS AccountName]

| sort - _time

high severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

PKI administrators exporting certificates for backup using certutil.exe -exportPFX during authorized maintenance windows
Web administrators exporting TLS certificates as PFX for IIS or Apache configuration — especially common during certificate renewal cycles
MDM enrollment processes (Intune, SCCM) using certreq.exe -submit for device certificate provisioning
Security scanning tools that enumerate AD CS templates for compliance reporting
Developers running local code-signing tests who write PFX files to development directories

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1649*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe

Google Chronicle / SecOps

yaral

rule detection_t1649 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Steal or Forge Authentication Certificates - T1649"
    severity = "HIGH"
    mitre_attack = "T1649"
    reference = "https://attack.mitre.org/techniques/T1649/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe

Steal or Forge Authentication Certificates

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections