KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 30 AD Golden Certificate CA Backup

Query

// =========================================================
// RULE-30 | AD-GoldenCertificate-CA-Backup
// Description : Golden Certificate attack — CA private key
//               backup or export detection. Event 4880
//               (Certificate Services started — backup
//               initiated), Event 4886 (Certificate Issued)
//               combined with Event 4688 (Process Creation)
//               showing certutil, certipy, or openssl
//               performing a CA backup (-backup flag) or
//               private key export.
//               A stolen CA private key enables the attacker
//               to forge ANY certificate for ANY user for the
//               lifetime of the CA (typically 5–20 years).
//               It survives password resets, krbtgt rotations,
//               account removals, and even CA certificate
//               revocation (unless the CA itself is rebuilt).
// Severity    : Critical — any CA private key export/backup
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1553.004 — Subvert Trust Controls:
//               Install Root Certificate
//               T1649     — Steal or Forge Auth Certs
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Signal 1: Event 4880 — Certificate Services started in backup mode
let Via4880 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4880
    | extend
        Source = "Event4880_CA_Backup_Started",
        Actor  = SubjectUserName,
        Detail = EventData,
        Host   = Computer;

// Signal 2: CA backup commands via process creation
let Via4688 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4688
    | where CommandLine has_any (
        "certutil.*-backup", "certutil -backup",
        "certutil.*-exportpfx", "certutil -exportpfx",
        "certipy.*ca.*backup", "certipy ca -backup",
        "openssl.*pkcs12", "openssl.*pfx",
        "Export-PfxCertificate",
        "certreq.*-export",
        "Get-CertificateEnrollmentPolicyServer"
      )
      or (CommandLine has "certutil" and CommandLine has "-p " and CommandLine has ".pfx")
    | extend
        Source = "Event4688_CA_Key_Export_Cmd",
        Actor  = SubjectUserName,
        Detail = CommandLine,
        Host   = Computer;

// Signal 3: MDE DeviceProcessEvents CA backup
let ViaMDE = DeviceProcessEvents
    | where TimeGenerated > ago(LookBack)
    | where ProcessCommandLine has_any (
        "certutil.*-backup", "certipy.*ca.*backup",
        "-exportpfx", "Export-PfxCertificate"
      )
    | extend
        Source = "MDE_CA_Key_Backup",
        Actor  = InitiatingProcessAccountName,
        Detail = ProcessCommandLine,
        Host   = DeviceName;

union Via4880, Via4688, ViaMDE
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "Golden_Certificate_CA_Private_Key_Backup_or_Export; ",
        "Survives_krbtgt_rotation_and_password_resets; ",
        "Source: ", Source, "; ",
        "Actor: ", Actor, "; ",
        "Detail: ", Detail
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    Actor,
    Detail,
    Source,
    Host
| order by TimeGenerated desc

Explanation

This query is designed to detect potential "Golden Certificate" attacks, which involve the unauthorized backup or export of a Certificate Authority (CA) private key. Such an attack can allow an attacker to forge certificates for any user, posing a critical security risk.

Here's a simplified breakdown of the query:

  1. Purpose: The query aims to identify suspicious activities related to the backup or export of CA private keys, which could indicate a "Golden Certificate" attack.

  2. Detection Signals:

    • Signal 1: Looks for Event ID 4880, which indicates that Certificate Services have started in backup mode. This event is logged in the SecurityEvent table.
    • Signal 2: Searches for Event ID 4688, which logs process creation events. It specifically looks for commands related to CA backup or export using tools like certutil, certipy, or openssl.
    • Signal 3: Monitors DeviceProcessEvents for similar backup or export commands.

  3. Time Frame: The query checks for these events every 15 minutes, looking back over the past 15 minutes.

  4. Output: The results are combined and include details such as the time of the event, severity (marked as "Critical"), reasons for suspicion, the actor (user) involved, command details, source of the event, and the host (computer) where the event occurred.

  5. Severity and Impact: The severity of these events is marked as "Critical" because a stolen CA private key can be used to forge certificates for any user, and it remains a threat even after password resets or other security measures.

  6. MITRE Techniques: The query is associated with MITRE ATT&CK techniques T1553.004 (Subvert Trust Controls: Install Root Certificate) and T1649 (Steal or Forge Auth Certs).

Overall, this query is a security measure to detect and alert on potential unauthorized activities related to CA private key backups or exports, which could lead to significant security breaches.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEventDeviceProcessEvents

Keywords

SecurityEventDeviceProcessEventsCertificateServicesProcessCommandLineActorHostComputerDeviceName

Operators

letwhereagoextendhas_anyorhasunionstrcatprojectorder by

Actions