Detection rules › Sigma
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1649 Steal or Forge Authentication Certificates |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| CAPI2 | 70 | For more details for this event, please refer to the "Details" section |
Stages and Predicates
Stage 1: selection
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Steal Authentication Certificates CryptoAPI (adds 1 filter)