A user certificate was issued with a mismatch

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

Attacker's Goals

Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.

Investigative actions

  • Verify the activity with the performing user.
  • Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system).
  • Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester.
  • Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation.
  • Check for possible certificate authentications with the subject user.

Variations

Suspicious certificate issuance with a mismatch

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation.

Attacker's Goals

Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.

Investigative actions

  • Verify the activity with the performing user.
  • Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system).
  • Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester.
  • Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation.
  • Check for possible certificate authentications with the subject user.