detection.wiki

Microsoft-Windows-Security-Auditing › Event 4876

Event ID 4876 — Certificate Services backup started.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Object Access → Certification Services
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

Certificate Services backup started.

Message #

Certificate Services backup started.

Backup Type: %1

Fields #

NameDescription
Backup_Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4876,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-09-03T10:41:30.959534Z",
    "event_record_id": 376329,
    "correlation": {
      "#attributes": {
        "ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
      }
    },
    "execution": {
      "process_id": 640,
      "thread_id": 4156
    },
    "channel": "Security",
    "computer": "CDCWPKI01.rootblue.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BackupType": "1",
    "SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
    "SubjectUserName": "domadm",
    "SubjectDomainName": "ROOTBLUE",
    "SubjectLogonId": "0x91861a6"
  }
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows Steal Authentication Certificates CS Backup source: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.

References #