Event ID 70 — For more details for this event, please refer to the "Details" section

Provider: Microsoft-Windows-CAPI2
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-WEF)
Task: AcquireCertificatePrivateKey

Description

For more details for this event, please refer to the "Details" section.

Message #

For more details for this event, please refer to the "Details" section

Fields #

Name	Description
`CryptAcquireCertificatePrivateKey`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CAPI2",
    "guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
    "event_source_name": "",
    "event_id": 70,
    "version": 0,
    "level": 4,
    "task": 70,
    "opcode": 0,
    "keywords": 4611686018427388032,
    "time_created": "2020-07-11T13:21:11.693103Z",
    "event_record_id": 13969076,
    "correlation": {},
    "execution": {
      "process_id": 5708,
      "thread_id": 5712
    },
    "channel": "Microsoft-Windows-CAPI2/Operational",
    "computer": "wec02",
    "security": {
      "user_id": "S-1-5-21-1153173314-1076311963-3278442693-500"
    }
  },
  "user_data": {
    "CryptAcquireCertificatePrivateKey": {
      "Certificate": {
        "#attributes": {
          "fileRef": "3CD6B0EFAF68549EFE9ED2316426FCD7FF81A6A8.cer",
          "subjectName": "wec02.offsec.lan"
        }
      },
      "Flags": {
        "#attributes": {
          "value": "10000",
          "CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG": "true"
        }
      },
      "EventAuxInfo": {
        "#attributes": {
          "ProcessName": "mimikatz.exe"
        }
      },
      "CorrelationAuxInfo": {
        "#attributes": {
          "TaskId": "{973F48B9-7001-410B-A904-B1DD8692B60A}",
          "SeqNumber": "2"
        }
      },
      "Result": {
        "#attributes": {
          "value": "0"
        }
      }
    }
  }
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Certificate Private Key Acquired source medium: Detects when an application acquires a certificate private key

Splunk # view in reference

Windows Steal Authentication Certificates CryptoAPI source: The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx