detection.wiki

Microsoft-Windows-Security-Auditing › Event 5058

Event ID 5058 — Key file operation.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
System → Other System Events
Collection Priority
Low (Microsoft-AppendixL)
Opcode
Info

Description

Key file operation.

Message #

Key file operation.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Key File Operation Information:
	File Path: %9
	Operation: %10
	Return Code: %11

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
ClientProcessId UInt32[Process Information] Process ID
ClientCreationTime FILETIME[Process Information] Process Creation Time
ProviderName UnicodeString[Cryptographic Parameters] Provider Name
AlgorithmName UnicodeString[Cryptographic Parameters] Algorithm Name
KeyName UnicodeString[Cryptographic Parameters] Key Name
KeyType UnicodeString[Cryptographic Parameters] Key Type
Known values
%%2499
Machine key
%%2500
User key
KeyFilePath UnicodeString[Key File Operation Information] File Path
Operation UnicodeString[Key File Operation Information] Operation
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
ReturnCode HexInt32[Key File Operation Information] Return Code

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5058,
    "version": 1,
    "level": 0,
    "task": 12292,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:39.883187+00:00",
    "event_record_id": 2882,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "ClientProcessId": 1612,
    "ClientCreationTime": "2023-11-06T06:25:38.635483Z",
    "ProviderName": "Microsoft Software Key Storage Provider",
    "AlgorithmName": "UNKNOWN",
    "KeyName": "b87f845a-3278-6909-ee85-d3025f077fea",
    "KeyType": "%%2500",
    "KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\fb28f36d176f9b9a964a506f1b386c99_31383106-803d-411b-9763-a28cdc0f0c3f",
    "Operation": "%%2458",
    "ReturnCode": "0x0"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Kusto Query Language # view in reference

References #