T1649 IBM QRadar · QRadar

Detect Steal or Forge Authentication Certificates in IBM QRadar

This detection identifies adversary attempts to steal or forge authentication certificates from Windows certificate stores, Active Directory Certificate Services (AD CS) infrastructure, or via crypto APIs. Key behaviors include use of certutil.exe with export flags, Mimikatz crypto module commands (crypto::certificates, crypto::capi), known AD CS abuse tools (Certify, Certipy), suspicious certificate file creation (.pfx/.p12), anomalous certificate enrollment or template modification events (Security EventIDs 4886, 4887, 4899, 4900), and process access to certificate material in LSASS or DPAPI-protected storage. Successful certificate theft enables persistent authentication as valid accounts and lateral movement without requiring password knowledge.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1649 Steal or Forge Authentication Certificates
Canonical reference
https://attack.mitre.org/techniques/T1649/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Steal or Forge Authentication Certificates (T1649). Queries QRadar event pipeline for indicators consistent with steal or forge authentication certificates adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
  • Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
  • Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe
Download portable Sigma rule (.yml)

Other platforms for T1649

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Export User Certificate from Windows Store via CertUtil

    Expected signal: DeviceProcessEvents: certutil.exe with CommandLine containing '-exportPFX' and '-user'. DeviceFileEvents: FileCreated event for C:\Windows\Temp\stolen_cert.pfx. Sysmon EventID 1: certutil.exe process with full command line. Sysmon EventID 11: .pfx file creation in C:\Windows\Temp.

  2. Test 2Enumerate and Export Certificates via PowerShell CryptoAPI

    Expected signal: DeviceProcessEvents: powershell.exe with command line containing X509Store, X509ContentType, and WriteAllBytes. Sysmon EventID 1: powershell.exe with certificate store access patterns. Sysmon EventID 11: atomic_cert_export.pfx file creation in C:\Windows\Temp. This test specifically validates coverage of non-certutil.exe certificate theft.

  3. Test 3Request Certificate via CertReq Against AD CS

    Expected signal: DeviceProcessEvents: certreq.exe -new execution with INF path in CommandLine. Sysmon EventID 1: certreq.exe process creation with -new flag. Sysmon EventID 11: .csr file creation in C:\Windows\Temp. If submission step is run against a real CA: Windows Security Event 4886 on the CA server (certificate request received), followed by 4887 (issued) or 4888 (denied).

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1649 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1558.001Golden TicketT1552.004Private KeysT1078Valid AccountsT1550.001Application Access TokenT1003OS Credential DumpingT1484.002Trust Modification

Same Tactic: Credential Access

Popular Detections