Detect Steal or Forge Authentication Certificates in Microsoft Sentinel
This detection identifies adversary attempts to steal or forge authentication certificates from Windows certificate stores, Active Directory Certificate Services (AD CS) infrastructure, or via crypto APIs. Key behaviors include use of certutil.exe with export flags, Mimikatz crypto module commands (crypto::certificates, crypto::capi), known AD CS abuse tools (Certify, Certipy), suspicious certificate file creation (.pfx/.p12), anomalous certificate enrollment or template modification events (Security EventIDs 4886, 4887, 4899, 4900), and process access to certificate material in LSASS or DPAPI-protected storage. Successful certificate theft enables persistent authentication as valid accounts and lateral movement without requiring password knowledge.
MITRE ATT&CK
- Tactic
- Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1649/
KQL Detection Query
let CertTheftCLIKeywords = dynamic(["-exportpfx", "exportpfx", "crypto::certificates", "crypto::capi", "crypto::keys", "/export", "-pkcs12", "adcs", "certsrv", "certstore", "-repairstore", "-importpfx"]);
let KnownCertTheftTools = dynamic(["certify.exe", "certipy.exe", "sharpdpapi.exe", "sharpweb.exe", "certstealer.exe", "ghostpack"]);
let SensitiveExtensions = dynamic([".pfx", ".p12", ".pem", ".key"]);
// Detection 1: Process-based — certutil/certreq abuse and known tools
let ProcessDetections = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
(FileName =~ "certutil.exe" and ProcessCommandLine has_any (CertTheftCLIKeywords))
or (FileName =~ "certreq.exe" and (ProcessCommandLine has "-submit" or ProcessCommandLine has "-retrieve"))
or FileName has_any (KnownCertTheftTools)
or ProcessCommandLine has_any ("crypto::certificates", "crypto::capi /patch", "crypto::keys /export", "sekurlsa::certificates")
)
| extend DetectionSource = "ProcessEvent"
| extend SuspiciousIndicator = case(
ProcessCommandLine has "exportpfx", "CertUtil Certificate Export",
ProcessCommandLine has "crypto::certificates", "Mimikatz Cert Module",
ProcessCommandLine has "crypto::capi", "Mimikatz CryptoAPI Patch",
ProcessCommandLine has "crypto::keys", "Mimikatz Key Export",
ProcessCommandLine has "sekurlsa::certificates", "Mimikatz LSA Cert Dump",
FileName has_any (KnownCertTheftTools), "Known Cert Theft Tool",
"Suspicious Certificate CLI Activity"
)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
FileName, ProcessCommandLine, SuspiciousIndicator, FolderPath, DetectionSource;
// Detection 2: File-based — suspicious PFX/P12 written to non-standard locations
let FileDetections = DeviceFileEvents
| where TimeGenerated > ago(1d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName has_any (SensitiveExtensions)
| where not(FolderPath has_any (
"C:\\Windows\\System32\\CertSrv",
"C:\\ProgramData\\Microsoft\\Crypto",
"C:\\Users\\All Users\\Microsoft\\Crypto",
"C:\\Windows\\ServiceProfiles"
))
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "MicrosoftEdgeUpdate.exe")
| extend DetectionSource = "FileEvent"
| extend SuspiciousIndicator = "Certificate File Written to Non-Standard Location"
| project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName,
InitiatingProcessFileName, FileName, FolderPath, SuspiciousIndicator, DetectionSource;
// Detection 3: AD CS enrollment anomalies from Security event log
let ADCSDetections = SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID in (4886, 4887, 4899, 4900)
| extend CertRequestDetails = parse_xml(EventData)
| where EventID in (4886, 4887) and SubjectUserName !endswith "$"
| extend DetectionSource = "SecurityEvent"
| extend SuspiciousIndicator = case(
EventID == 4886, "AD CS Certificate Request Received (User Account)",
EventID == 4887, "AD CS Certificate Issued to User Account",
EventID == 4899, "AD CS Certificate Template Modified",
EventID == 4900, "AD CS Certificate Template Security Updated",
"AD CS Event"
)
| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName,
InitiatingProcessFileName = "", FileName = "", FolderPath = "",
SuspiciousIndicator, DetectionSource;
union ProcessDetections, FileDetections, ADCSDetections
| order by TimeGenerated descDetects certificate theft and forgery via three correlated signals: (1) suspicious certutil.exe or certreq.exe command-line flags for certificate export, known AD CS abuse tools (Certify, Certipy), and Mimikatz crypto module commands; (2) certificate file (.pfx/.p12/.pem) creation outside expected system certificate storage paths; (3) AD CS Security Event IDs 4886/4887 (certificate requests/issuance to non-machine accounts) and 4899/4900 (template modifications). Combines process, file, and event log telemetry for high-fidelity coverage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
- Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
- Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe
- Security operations tooling (vulnerability scanners, certificate inventory tools) that enumerate certificate templates or stores
- Developers testing code-signing workflows who export self-signed certificates in PFX format to non-standard directories
Other platforms for T1649
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Export User Certificate from Windows Store via CertUtil
Expected signal: DeviceProcessEvents: certutil.exe with CommandLine containing '-exportPFX' and '-user'. DeviceFileEvents: FileCreated event for C:\Windows\Temp\stolen_cert.pfx. Sysmon EventID 1: certutil.exe process with full command line. Sysmon EventID 11: .pfx file creation in C:\Windows\Temp.
- Test 2Enumerate and Export Certificates via PowerShell CryptoAPI
Expected signal: DeviceProcessEvents: powershell.exe with command line containing X509Store, X509ContentType, and WriteAllBytes. Sysmon EventID 1: powershell.exe with certificate store access patterns. Sysmon EventID 11: atomic_cert_export.pfx file creation in C:\Windows\Temp. This test specifically validates coverage of non-certutil.exe certificate theft.
- Test 3Request Certificate via CertReq Against AD CS
Expected signal: DeviceProcessEvents: certreq.exe -new execution with INF path in CommandLine. Sysmon EventID 1: certreq.exe process creation with -new flag. Sysmon EventID 11: .csr file creation in C:\Windows\Temp. If submission step is run against a real CA: Windows Security Event 4886 on the CA server (certificate request received), followed by 4887 (issued) or 4888 (denied).
References (10)
- https://attack.mitre.org/techniques/T1649/
- https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
- https://posts.specterops.io/certified-pre-owned-d95910965cd2
- https://github.com/GhostPack/Certify
- https://github.com/ly4k/Certipy
- https://github.com/TheWover/CertStealer
- https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview
- https://www.microsoft.com/en-us/security/blog/2022/08/24/azure-ad-certificate-based-authentication-cba-on-mobile-now-in-preview/
- https://o365blog.com/post/deviceidentity/
- https://adsecurity.org/?p=2053
Unlock Pro Content
Get the full detection package for T1649 including response playbook, investigation guide, and atomic red team tests.