T1649 Sumo Logic CSE · Sumo

Detect Steal or Forge Authentication Certificates in Sumo Logic CSE

This detection identifies adversary attempts to steal or forge authentication certificates from Windows certificate stores, Active Directory Certificate Services (AD CS) infrastructure, or via crypto APIs. Key behaviors include use of certutil.exe with export flags, Mimikatz crypto module commands (crypto::certificates, crypto::capi), known AD CS abuse tools (Certify, Certipy), suspicious certificate file creation (.pfx/.p12), anomalous certificate enrollment or template modification events (Security EventIDs 4886, 4887, 4899, 4900), and process access to certificate material in LSASS or DPAPI-protected storage. Successful certificate theft enables persistent authentication as valid accounts and lateral movement without requiring password knowledge.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1649 Steal or Forge Authentication Certificates
Canonical reference
https://attack.mitre.org/techniques/T1649/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score
high severity medium confidence

Sumo Logic detection for Steal or Forge Authentication Certificates (T1649). Identifies adversary steal or forge authentication certificates behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

Data Sources

Sumo Logic Cloud SIEMWindows Event LogsEndpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives & Tuning

  • Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
  • Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
  • Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe
Download portable Sigma rule (.yml)

Other platforms for T1649

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Export User Certificate from Windows Store via CertUtil

    Expected signal: DeviceProcessEvents: certutil.exe with CommandLine containing '-exportPFX' and '-user'. DeviceFileEvents: FileCreated event for C:\Windows\Temp\stolen_cert.pfx. Sysmon EventID 1: certutil.exe process with full command line. Sysmon EventID 11: .pfx file creation in C:\Windows\Temp.

  2. Test 2Enumerate and Export Certificates via PowerShell CryptoAPI

    Expected signal: DeviceProcessEvents: powershell.exe with command line containing X509Store, X509ContentType, and WriteAllBytes. Sysmon EventID 1: powershell.exe with certificate store access patterns. Sysmon EventID 11: atomic_cert_export.pfx file creation in C:\Windows\Temp. This test specifically validates coverage of non-certutil.exe certificate theft.

  3. Test 3Request Certificate via CertReq Against AD CS

    Expected signal: DeviceProcessEvents: certreq.exe -new execution with INF path in CommandLine. Sysmon EventID 1: certreq.exe process creation with -new flag. Sysmon EventID 11: .csr file creation in C:\Windows\Temp. If submission step is run against a real CA: Windows Security Event 4886 on the CA server (certificate request received), followed by 4887 (issued) or 4888 (denied).

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1649 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1558.001Golden TicketT1552.004Private KeysT1078Valid AccountsT1550.001Application Access TokenT1003OS Credential DumpingT1484.002Trust Modification

Same Tactic: Credential Access

Popular Detections