Suspicious Certutil AD CS contact

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
ATT&CK Tactic	Discovery (TA0007) Credential Access (TA0006)
ATT&CK Technique	System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)
Severity	Low

Description

A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.

Attacker's Goals

An attacker might look for AD CS servers, certificate templates or request certificates.
With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.

Investigative actions

Look at further action done by the user.
Investigate whether other non-standard operations were done regarding the AD CS.

Variations

Suspicious Certutil AD CS Admin Interface contact

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface.

Attacker's Goals

An attacker might look for AD CS servers, certificate templates or request certificates.
With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.

Investigative actions

Look at further action done by the user.
Investigate whether other non-standard operations were done regarding the AD CS.