Detection rules › Splunk
Windows Steal Authentication Certificates Certificate Request
The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1649 Steal or Forge Authentication Certificates |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4886 | Certificate Services received a certificate request. |
Stages and Predicates
Stage 1: search
search EventCode=4886
Stage 2: stats
stats BY dest, name, Requester, action, Attributes
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|