T1649 Splunk · SPL

Detect Steal or Forge Authentication Certificates in Splunk

This detection identifies adversary attempts to steal or forge authentication certificates from Windows certificate stores, Active Directory Certificate Services (AD CS) infrastructure, or via crypto APIs. Key behaviors include use of certutil.exe with export flags, Mimikatz crypto module commands (crypto::certificates, crypto::capi), known AD CS abuse tools (Certify, Certipy), suspicious certificate file creation (.pfx/.p12), anomalous certificate enrollment or template modification events (Security EventIDs 4886, 4887, 4899, 4900), and process access to certificate material in LSASS or DPAPI-protected storage. Successful certificate theft enables persistent authentication as valid accounts and lateral movement without requiring password knowledge.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1649 Steal or Forge Authentication Certificates
Canonical reference
https://attack.mitre.org/techniques/T1649/

SPL Detection Query

Splunk (SPL)
spl 
index=* earliest=-24h
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
[
  search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval match=if(
      (lower(Image) LIKE "%certutil.exe" AND (lower(CommandLine) LIKE "%-exportpfx%" OR lower(CommandLine) LIKE "%exportpfx%" OR lower(CommandLine) LIKE "%-pkcs12%" OR lower(CommandLine) LIKE "%certsrv%" OR lower(CommandLine) LIKE "%-repairstore%"))
      OR (lower(Image) LIKE "%certreq.exe" AND (lower(CommandLine) LIKE "%-submit%" OR lower(CommandLine) LIKE "%-retrieve%"))
      OR (lower(CommandLine) LIKE "%crypto::certificates%" OR lower(CommandLine) LIKE "%crypto::capi%" OR lower(CommandLine) LIKE "%crypto::keys%" OR lower(CommandLine) LIKE "%sekurlsa::certificates%")
      OR lower(Image) LIKE "%certify.exe"
      OR lower(Image) LIKE "%certipy.exe"
      OR lower(Image) LIKE "%sharpdpapi.exe"
    , 1, 0)
  | where match=1
  | fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
  | return Computer
]
| eval DetectionSource=case(
    EventCode=1, "Sysmon_ProcessCreate",
    EventCode=11, "Sysmon_FileCreate",
    EventCode IN (4886,4887,4899,4900), "Security_ADCS",
    1==1, "Unknown"
  )
| eval SuspiciousIndicator=case(
    EventCode=1 AND like(lower(CommandLine),"%exportpfx%"), "CertUtil Certificate Export",
    EventCode=1 AND like(lower(CommandLine),"%crypto::certificates%"), "Mimikatz Cert Module",
    EventCode=1 AND like(lower(CommandLine),"%crypto::capi%"), "Mimikatz CryptoAPI Patch",
    EventCode=1 AND like(lower(CommandLine),"%crypto::keys%"), "Mimikatz Key Export",
    EventCode=1 AND like(lower(CommandLine),"%sekurlsa::certificates%"), "Mimikatz LSA Cert Dump",
    EventCode=1 AND (like(lower(Image),"%certify.exe") OR like(lower(Image),"%certipy.exe") OR like(lower(Image),"%sharpdpapi.exe")), "Known Cert Theft Tool Execution",
    EventCode=1 AND like(lower(Image),"%certreq.exe"), "CertReq Submission/Retrieval",
    EventCode=11 AND (like(lower(TargetFilename),"%.pfx") OR like(lower(TargetFilename),"%.p12")), "Certificate File Created Outside System Path",
    EventCode=4886, "AD CS Certificate Request - User Account",
    EventCode=4887, "AD CS Certificate Issued - User Account",
    EventCode=4899, "AD CS Template Modified",
    EventCode=4900, "AD CS Template Security Updated",
    1==1, "Certificate Suspicious Activity"
  )
| eval AccountName=coalesce(User, SubjectUserName, AccountName)
| table _time, Computer, AccountName, Image, CommandLine, TargetFilename, SuspiciousIndicator, DetectionSource, EventCode
| sort - _time

| append
  [search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 earliest=-24h
   | where (like(lower(TargetFilename),"%.pfx") OR like(lower(TargetFilename),"%.p12") OR like(lower(TargetFilename),"%.pem") OR like(lower(TargetFilename),"%.key"))
   | where NOT (like(lower(TargetFilename),"%\\windows\\system32\\certsrv%") OR like(lower(TargetFilename),"%\\programdata\\microsoft\\crypto%") OR like(lower(TargetFilename),"%\\windows\\serviceprofiles%"))
   | where NOT (like(lower(Image),"%svchost.exe") OR like(lower(Image),"%lsass.exe"))
   | eval SuspiciousIndicator="Certificate File Written to Non-Standard Location", DetectionSource="Sysmon_FileCreate"
   | table _time, Computer, User, Image, CommandLine, TargetFilename, SuspiciousIndicator, DetectionSource
   | rename User AS AccountName]

| append
  [search index=* sourcetype="WinEventLog:Security" EventCode IN (4886,4887,4899,4900) earliest=-24h
   | where NOT like(SubjectUserName,"%$")
   | eval SuspiciousIndicator=case(
       EventCode=4886, "AD CS Certificate Request - User Account",
       EventCode=4887, "AD CS Certificate Issued - User Account",
       EventCode=4899, "AD CS Template Modified",
       EventCode=4900, "AD CS Template Security Updated",
       1==1, "AD CS Event"
     ), DetectionSource="Security_ADCS"
   | table _time, Computer, SubjectUserName, SuspiciousIndicator, DetectionSource, EventCode
   | rename SubjectUserName AS AccountName]

| sort - _time
high severity medium confidence

Detects certificate theft and AD CS abuse via Sysmon Event 1 (process creation) for certutil.exe export flags, certreq.exe submission, Mimikatz crypto module commands, and known offensive tools (Certify, Certipy, SharpDPAPI). Also monitors Sysmon Event 11 (file creation) for PFX/P12 files written outside system certificate directories, and Windows Security events 4886/4887/4899/4900 for anomalous AD CS certificate requests and template modifications from non-machine accounts.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • PKI administrators exporting certificates for backup using certutil.exe -exportPFX during authorized maintenance windows
  • Web administrators exporting TLS certificates as PFX for IIS or Apache configuration — especially common during certificate renewal cycles
  • MDM enrollment processes (Intune, SCCM) using certreq.exe -submit for device certificate provisioning
  • Security scanning tools that enumerate AD CS templates for compliance reporting
  • Developers running local code-signing tests who write PFX files to development directories
Download portable Sigma rule (.yml)

Other platforms for T1649

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Export User Certificate from Windows Store via CertUtil

    Expected signal: DeviceProcessEvents: certutil.exe with CommandLine containing '-exportPFX' and '-user'. DeviceFileEvents: FileCreated event for C:\Windows\Temp\stolen_cert.pfx. Sysmon EventID 1: certutil.exe process with full command line. Sysmon EventID 11: .pfx file creation in C:\Windows\Temp.

  2. Test 2Enumerate and Export Certificates via PowerShell CryptoAPI

    Expected signal: DeviceProcessEvents: powershell.exe with command line containing X509Store, X509ContentType, and WriteAllBytes. Sysmon EventID 1: powershell.exe with certificate store access patterns. Sysmon EventID 11: atomic_cert_export.pfx file creation in C:\Windows\Temp. This test specifically validates coverage of non-certutil.exe certificate theft.

  3. Test 3Request Certificate via CertReq Against AD CS

    Expected signal: DeviceProcessEvents: certreq.exe -new execution with INF path in CommandLine. Sysmon EventID 1: certreq.exe process creation with -new flag. Sysmon EventID 11: .csr file creation in C:\Windows\Temp. If submission step is run against a real CA: Windows Security Event 4886 on the CA server (certificate request received), followed by 4887 (issued) or 4888 (denied).

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1649 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1558.001Golden TicketT1552.004Private KeysT1078Valid AccountsT1550.001Application Access TokenT1003OS Credential DumpingT1484.002Trust Modification

Same Tactic: Credential Access

Popular Detections