Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

12 alerts match the current filters. tactic: TA0006 ✕ technique: T1649 ✕

Show ATT&CK heatmap
  • A process queried the ADFS database decryption key via LDAP Low Identity Analytics 3 variations

    A process queried the ADFS database decryption key (DKM key) via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Federation Services Analytics
    Attacker's goals: An attacker wanting to perform a golden SAML attack will want to steal the ADFS token-signing certificates. To steal the token-signing certificates, the attacker will need to access the ADFS database To access the encrypted ADFS database, an attacker will attempt to retrieve the decryption key via an LDAP query.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Check for unusual ADFS logins. Check the process that initiated the query. Investigate the LDAP search query for any suspicious indicators.

    Variations

    LDAP query explicitly queried the ADFS database decryption key (DKM key)

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    A process explicitly queried the ADFS database decryption key (DKM key) via LDAP

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    LDAP query queried the ADFS database decryption key (DKM key)

    Low overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

  • A suspicious process enrolled for a certificate Low 1 variation

    A suspicious process enrolled for a certificate.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.
    Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.

    Variations

    An unsigned suspicious process enrolled for a certificate

    Medium overridden

    An unsigned suspicious process enrolled for a certificate. overridden

  • A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A suspicious process queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user suspiciously queried AD CS objects via LDAP

    Low overridden

    A user suspiciously queried AD CS objects via LDAP. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A user queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user enumerated AD CS objects using suspicious LDAP query

    Low overridden

    A user enumerated AD CS objects using suspicious LDAP query. overridden

  • LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Abnormal LDAP AD CS Enumeration via Attack Tool

    Medium overridden

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Suspicious Certutil AD CS contact Low 1 variation

    A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.

    Variations

    Suspicious Certutil AD CS Admin Interface contact

    Medium overridden

    A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden

  • Suspicious certificate template modification Informational Identity Analytics 2 variations

    A certificate template was updated with a possible misconfiguration. This may indicate the exploitation of misconfigured certificate template access control (ESC4).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
    Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.

    Variations

    Certificate template was updated to be vulnerable to AD CS ESC attack

    Medium overridden

    A certificate template was updated, making it vulnerable to an AD CS ESC attack. This may indicate the potential abuse of AD CS ESC4. overridden

    Certificate template was updated with a misconfiguration configuration

    Low overridden

    A certificate template was updated with new misconfiguration. This may indicate a potential AD CS ESC4 attack. overridden

  • Suspicious process accessed certificate files Low

    A suspicious process accessed certificate files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may search for local certificate files for authentication, persistence or NTLM extraction.
    Investigative actions: See whether this was a legitimate action. Follow process/user activities.
  • Unusual CertLog Remote File Write Low Identity Analytics 1 variation

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to exploit AD CS misconfigurations and obtain forged authentication certificates for privilege escalation or persistence.
    Investigative actions: Determine whether this was a legitimate certificate request or an unauthorized write operation. Review logs for preceding and subsequent authentication attempts. Investigate the remote host for any suspicious activity. Identify any subsequent Kerberos ticket usage, such as forging or relaying attacks.

    Variations

    Suspicious CertLog Remote File Write

    Medium overridden

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks. overridden

  • Vulnerable certificate template loaded Informational Identity Analytics 2 variations

    A possible misconfigured certificate template was loaded by Certificate Services. This may indicate potential certificate template abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
    Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Look for signs of certificate template enumeration via LDAP. Inspect certificates issued to privileged accounts. Check for abnormal PKINIT authentication or elevated Kerberos tickets.

    Variations

    First detection of AD CS ESC vulnerability in certificate template

    Medium overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services for the first time. This may indicate potential certificate template abuse. overridden

    Certificate template vulnerable to AD CS ESC attack

    Low overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services. This may indicate potential certificate template abuse. overridden