Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
Attacker's Goals
Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
Investigative actions
- Verify the activity with the performing user.
- Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system).
- Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester.
- Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation.
- Check for possible certificate authentications with the subject user.