Detection rules › Splunk
Windows Steal Authentication Certificates CS Backup
The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1649 Steal or Forge Authentication Certificates |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4876 | Certificate Services backup started. |
Stages and Predicates
Stage 1: search
search EventCode=4876
Stage 2: stats
stats BY dest, name, action, Caller_Domain, Caller_User_Name
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|