Query Details

Certificate Issued To Privileged User

Query

// Create a list of privileged users based on AD group membership
let AdminGroups = dynamic([
    "Domain Admins",
    "Enterprise Admins",
    "Administrators",
    "Schema Admins",
    "Account Operators",
    "Backup Operators",
    "Server Operators"
]);
let PrivUsers =
    IdentityInfo
    | where Type == "User"
    | mv-apply GroupMembership on (where GroupMembership in~ (AdminGroups))
    | summarize by PrincipalName = tostring(AccountUpn);
// Process certificate request events (Event ID 4886)
SecurityEvent
| where EventID == 4886
| extend XmlData = parse_xml(EventData)
| mv-expand DataNode = XmlData.EventData.Data
| extend FieldName = tostring(DataNode['@Name']), FieldValue = tostring(DataNode['#text'])
// Group by ResourceId and TimeGenerated to extract specific fields from XML nodes
| summarize
    SubjectAlternativeName = anyif(FieldValue, FieldName == "SubjectAlternativeName"),
    RequestClientInfo = anyif(FieldValue, FieldName == "RequestClientInfo"),
    Computer = any(Computer)
  by _ResourceId, TimeGenerated
| extend SubjectAlternativeName = tostring(SubjectAlternativeName)
| extend RequesterMachine = extract(@"Machine:\s*([A-Za-z0-9\-\_]+)", 1, RequestClientInfo)
| extend PrincipalName = extract(@"Principal Name=([^ ]+)", 1, SubjectAlternativeName)
| extend HasSTU = iff(SubjectAlternativeName has "URL=ID:STU", true, false)
// Set mandatory fields for the Custom Detection Rule
| extend Timestamp = TimeGenerated
| extend ReportId = tostring(new_guid())
// Cross-reference with the privileged user list
| join kind=inner PrivUsers on PrincipalName
// Join with DeviceInfo to enrich with machine context using a normalized join key
| extend JoinKey = tolower(RequesterMachine)
| join kind=leftouter (
    DeviceInfo 
    | extend DeviceNameLower = tolower(DeviceName)
    | summarize arg_max(Timestamp, *) by DeviceNameLower 
) on $left.JoinKey == $right.DeviceNameLower

About this query

Certificate Issued to Privileged User

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1649Steal or Forge Authentication Certificateshttps://attack.mitre.org/techniques/T1649/

Description

This rule detects when a certificate is issued to a privileged user. It identifies privileged users by checking their group membership against a predefined list of administrative groups such as 'Domain Admins', 'Enterprise Admins', and 'Administrators'. The rule then looks for Windows Security Event ID 4886, which indicates a certificate services operation, and extracts the principal name from the Subject Alternative Name field. Finally, it joins this information with the identified privileged users to flag any certificate issuance to them.

Author <Optional>

References

Sentinel

Explanation

This query is designed to detect when a digital certificate is issued to a privileged user within an organization. Here's a simplified breakdown of how it works:

  1. Identify Privileged Users: The query starts by creating a list of privileged user groups, such as 'Domain Admins' and 'Administrators'. It then checks the organization's identity information to find users who belong to these groups, compiling a list of their principal names.

  2. Monitor Certificate Issuance: It looks for specific Windows Security Events (Event ID 4886), which indicate that a certificate has been issued. The query extracts relevant details from these events, such as the subject alternative name and the machine requesting the certificate.

  3. Cross-Reference: The query cross-references the list of privileged users with the certificate issuance events to see if any certificates have been issued to these users.

  4. Enrich with Machine Information: It also attempts to match the machine requesting the certificate with additional device information to provide more context about the request.

  5. Flagging: If a certificate is issued to a privileged user, the query flags this as a potential security concern, as it could indicate an attempt to steal or forge authentication certificates, a technique identified by MITRE ATT&CK as T1649. Overall, this query helps security teams monitor and respond to potentially unauthorized certificate issuance to high-privilege accounts, which could be a sign of malicious activity.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: January 15, 2026

Tables

IdentityInfoSecurityEventDeviceInfo

Keywords

SecurityEventIdentityInfoDevice

Operators

letdynamicmv-applywherein~summarizetostringparse_xmlmv-expandextendanyifbyextractiffnew_guidjoinkindtolowerarg_max

MITRE Techniques

Actions

GitHub