User set insecure CA registry setting for global SANs

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2025-02-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Tools (T1562.001)

Severity

Low

Description

A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.

Attacker's Goals

  • This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.

Investigative actions

  • Confirm whether the registry change was authorized by the user or system administrator.
  • Monitor certificate enrollments with Subject Alternate Names.
  • Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies.
  • Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.