Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/event-id-4107-or-event-id-11-is-logged

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: ''
  event_id: 70
  version: 0
  level: 4
  task: 70
  opcode: 0
  keywords: 4611686018427388032
  time_created: '2020-07-11T13:21:11.693103Z'
  event_record_id: 13969076
  correlation: {}
  execution:
    process_id: 5708
    thread_id: 5712
  channel: Microsoft-Windows-CAPI2/Operational
  computer: wec02
  security:
    user_id: S-1-5-21-1153173314-1076311963-3278442693-500
user_data:
  CryptAcquireCertificatePrivateKey:
    Certificate:
      '#attributes':
        fileRef: 3CD6B0EFAF68549EFE9ED2316426FCD7FF81A6A8.cer
        subjectName: wec02.offsec.lan
    Flags:
      '#attributes':
        value: '10000'
        CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG: 'true'
    EventAuxInfo:
      '#attributes':
        ProcessName: mimikatz.exe
    CorrelationAuxInfo:
      '#attributes':
        TaskId: '{973F48B9-7001-410B-A904-B1DD8692B60A}'
        SeqNumber: '2'
    Result:
      '#attributes':
        value: '0'

Sigma Rules

• Certificate Private Key Acquired
  Detects when an application acquires a certificate private key

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

For more details for this event, please refer to the "Details" section

Fields

Message

The Cryptographic Services service failed to initialize the Catalog Database. The error was: %1 : %2.

Fields

Message

The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: %1.

Fields

Message

The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.%1.

Fields

Message

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.%1.

Fields

Message

Successful auto update of third-party root certificate:: Subject: <%1> Sha1 thumbprint: <%2>.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4097
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2023-11-05T23:13:48.717808+00:00'
  event_record_id: 1679
  correlation: {}
  execution:
    process_id: 1140
    thread_id: 1340
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
  - OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  - 2796BAE63F1801E277261BA0D77770028F20EEE4
message: 'Successful auto update of third-party root certificate:: Subject: <OU=Go
  Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US> Sha1
  thumbprint: <2796BAE63F1801E277261BA0D77770028F20EEE4>.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Successful auto update retrieval of third-party root list cab from: <%1>.

Fields

Message

Failed auto update retrieval of third-party root list cab from: <%1> with error: %2.

Fields

Message

Successful auto update retrieval of third-party root certificate from: <%1>.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4100
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2016-08-24T21:26:02.343750Z'
  event_record_id: 1650
  correlation: {}
  execution:
    process_id: 1124
    thread_id: 1712
  channel: Application
  computer: IE10Win7
  security:
    user_id: ''
event_data: {}

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Failed auto update retrieval of third-party root certificate from: <%1> with error: %2.

Fields

Message

Reached crypt32 threshold of %1 events and will suspend logging for %2 minutes.

Fields

Message

Successful auto update retrieval of third-party root list sequence number from: <%1>.

Fields

Message

Failed auto update retrieval of third-party root list sequence number from: <%1> with error: %2.

Fields

Message

Untrusted root certificate:: Subject: <%1> Sha1 thumbprint: <%2>.

Fields

Message

Partial Chain:: Issuer: <%1> Subject Sha1 thumbprint: <%2>.

Fields

Message

Failed extract of third-party root list from auto update cab at: <%1> with error: %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/event-id-4107-or-event-id-11-is-logged

Message

Successful auto delete of third-party root certificate:: Subject: <%1> Sha1 thumbprint: <%2>.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4108
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2022-04-07T17:04:18.250448+00:00'
  event_record_id: 217
  correlation: {}
  execution:
    process_id: 2432
    thread_id: 2344
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  - 4F65566336DB6598581D584A596C87934D5F2AB4
message: 'Successful auto delete of third-party root certificate:: Subject: <OU=Class
  3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> Sha1 thumbprint:
  <4F65566336DB6598581D584A596C87934D5F2AB4>.'

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Successful auto property update of third-party root certificate:: Subject: <%1> Sha1 thumbprint: <%2>.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4109
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2022-04-07T17:04:18.250448+00:00'
  event_record_id: 216
  correlation: {}
  execution:
    process_id: 2432
    thread_id: 2344
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  - 742C3192E607E424EB4549542BE1BBC53E6174E2
message: 'Successful auto property update of third-party root certificate:: Subject:
  <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> Sha1
  thumbprint: <742C3192E607E424EB4549542BE1BBC53E6174E2>.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Failed to add certificate to Third-Party Root Certification Authorities store with error: %2

Fields

Message

Successful auto update of third-party root list with effective date: %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4111
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2022-04-07T17:04:18.250448+00:00'
  event_record_id: 218
  correlation: {}
  execution:
    process_id: 2432
    thread_id: 2344
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - ‎Tuesday, ‎February ‎22, ‎2022 11:44:40 AM
message: 'Successful auto update of third-party root list with effective date: ‎Tuesday,
  ‎February ‎22, ‎2022 11:44:40 AM.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Successful auto update of disallowed certificate list with effective date: %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4112
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2022-04-07T08:11:02.801955+00:00'
  event_record_id: 49
  correlation: {}
  execution:
    process_id: 2436
    thread_id: 4712
  channel: Application
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: ''
event_data:
  Data:
  - ‎Tuesday, ‎March ‎16, ‎2021 12:29:24 AM
message: 'Successful auto update of disallowed certificate list with effective date:
  ‎Tuesday, ‎March ‎16, ‎2021 12:29:24 AM.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Successful auto update of pin rules with effective date: %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-CAPI2
  guid: '{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'
  event_source_name: Microsoft-Windows-CAPI2
  event_id: 4113
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2022-04-07T08:12:04.333773+00:00'
  event_record_id: 82
  correlation: {}
  execution:
    process_id: 2436
    thread_id: 5476
  channel: Application
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: ''
event_data:
  Data:
  - ‎Wednesday, ‎May ‎31, ‎2017 4:28:59 PM
message: 'Successful auto update of pin rules with effective date: ‎Wednesday, ‎May
  ‎31, ‎2017 4:28:59 PM.'

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Server: %1 has unexpected certificates under trusted authority: <%2> with thumbprint: %3.

Mismatch of pin rules for domain: %4 with effective date: %5 and sequence number: %6.

Certificates saved to: <%7>.

Fields

Message

Added public key pinning rule for domain: %1 with header thumbprint: %2.

Header value: %3.

Fields

Message

Server: %1 has unexpected certificates under trusted authority: <%2> with thumbprint: %3.

Mismatch of public key pinning rule for domain: %4 added on date: %5 with header thumbprint: %6.

Certificates saved to: <%7>.

Fields

Message

Server: %1 has unexpected certificates under trusted authority: <%2> with thumbprint: %3.

Mismatch of public key pinning rule for domain: %4 added on date: %5 with header thumbprint: %6.

Certificates saved to: <%7>.

However, also matched domain: %8 added on date: %9 with header thumbprint: %10.

Fields

Message

Successful pre-fetch of certificate revocation list from: <%1>.

Fields

Message

Failed pre-fetch of certificate revocation list from: <%1> with error: %2.

Fields

Message

Certificate signature verify failed. Detected public key parameter poisoning. 

Additional Information: %1.

Fields

Message

LDAP CryptRetrieveObjectByUrlW failed. Detected URL with control characters. 

Additional Information: %1. 

Error Code: %2.

Fields

Message

PFX operation failed as AuthSafes count doesn't lie in expected range. Maximum permissible value: %1. Erroneous value: %2.

Fields

Message

PFX operation failed as Iteration count doesn't lie in expected range. Maximum permissible value: %1. Erroneous value: %2.

Fields

Message

PFX operation failed as SafeBags count doesn't lie in expected range. Maximum permissible value: %1. Erroneous value: %2.

Fields

Message

The catalog file %2 is being added to subsystem %1.

Fields

Message

Addition of the catalog file completed. Status %1.

Fields

Message

The catalog file %2 is being removed from the subsystem %1.

Fields

Message

Removal of the catalog file completed. Status %1.

Fields

Message

The catalog file %2 is being synced to the subsystem %1.

Fields

Message

Sync of the catalog file completed. Status %1.

Fields

Message

The Catalog Database is being rebuilt for subsystem %1.

Fields

Message

Rebuild of the Catalog Database for the chosen subsystem has completed. Status %1.

Fields

Message

A hash of type %2, length %3 and value %4 is being searched for in subsystem %1.

Fields

Message

The hash search completed and was found in %2 catalogs. Status %1.

Fields

Message

Sync of subsystem %1 has started.

Fields

Message

Sync of the subsystem completed. Status %1.

Fields