Detection rules › Kusto Query Language

Certified Pre-Owned - backup of CA private key - rule 1

Source: upstream

This query identifies someone that performs a read operation of they CA key from the file.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036` Masquerading

Event coverage

Provider	Event ID	Title
Security-Auditing	5058	Key file operation.

Stages and Predicates

Stage 1: `source`

SecurityEvent

Stage 2: `where`

and
  Computer contains "<YOUR CA MACHINE NAME>"
  EventID eq "5058"

Stage 3: `where`

EventData contains "%%2499"

Stage 4: `extend`

Stage 5: `mv-expand`

Stage 6: `mv-expand`

Stage 7: `mv-expand`

Stage 8: `extend`

Stage 9: `extend`

Stage 10: `where`

KeyName eq "<INSERT ISSUING CA KEY HERE>"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Computer`	contains	`<YOUR CA MACHINE NAME>`
`EventData`	contains	`%%2499`
`EventID`	eq	`5058`
`KeyName`	eq	`<INSERT ISSUING CA KEY HERE>`

Certified Pre-Owned - backup of CA private key - rule 1

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: extend

Stage 5: mv-expand

Stage 6: mv-expand

Stage 7: mv-expand

Stage 8: extend

Stage 9: extend

Stage 10: where