heroui logo

Windows Steal Authentication Certificates CS Backup

Splunk Security Content

View Source
Summary
This detection rule monitors anomalous activities related to the backup of Active Directory Certificate Services (AD CS) identified through Windows Event ID 4876. The event is triggered when a backup of the AD CS store is performed using either the CertSrv.msc UI or the CertUtil.exe -BackupDB command. The rule is essential because unauthorized backups could signal attempts to exfiltrate authentication certificates, which are pivotal for secure communications. If not addressed, this malicious behavior could enable attackers to impersonate legitimate users, escalate privileges, or gain access to sensitive information, posing significant risks to the security posture of the organization. Careful monitoring of these activities is critical to identify potential threats in a timely manner.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Active Directory
ATT&CK Techniques
  • T1649
Created: 2024-11-13