RULE 30 AD Golden Certificate CA Backup
Query
// =========================================================
// RULE-30 | AD-GoldenCertificate-CA-Backup
// Description : Golden Certificate attack — CA private key
// backup or export detection. Event 4880
// (Certificate Services started — backup
// initiated), Event 4886 (Certificate Issued)
// combined with Event 4688 (Process Creation)
// showing certutil, certipy, or openssl
// performing a CA backup (-backup flag) or
// private key export.
// A stolen CA private key enables the attacker
// to forge ANY certificate for ANY user for the
// lifetime of the CA (typically 5–20 years).
// It survives password resets, krbtgt rotations,
// account removals, and even CA certificate
// revocation (unless the CA itself is rebuilt).
// Severity : Critical — any CA private key export/backup
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1553.004 — Subvert Trust Controls:
// Install Root Certificate
// T1649 — Steal or Forge Auth Certs
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// Signal 1: Event 4880 — Certificate Services started in backup mode
let Via4880 = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4880
| extend
Source = "Event4880_CA_Backup_Started",
Actor = SubjectUserName,
Detail = EventData,
Host = Computer;
// Signal 2: CA backup commands via process creation
let Via4688 = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4688
| where CommandLine has_any (
"certutil.*-backup", "certutil -backup",
"certutil.*-exportpfx", "certutil -exportpfx",
"certipy.*ca.*backup", "certipy ca -backup",
"openssl.*pkcs12", "openssl.*pfx",
"Export-PfxCertificate",
"certreq.*-export",
"Get-CertificateEnrollmentPolicyServer"
)
or (CommandLine has "certutil" and CommandLine has "-p " and CommandLine has ".pfx")
| extend
Source = "Event4688_CA_Key_Export_Cmd",
Actor = SubjectUserName,
Detail = CommandLine,
Host = Computer;
// Signal 3: MDE DeviceProcessEvents CA backup
let ViaMDE = DeviceProcessEvents
| where TimeGenerated > ago(LookBack)
| where ProcessCommandLine has_any (
"certutil.*-backup", "certipy.*ca.*backup",
"-exportpfx", "Export-PfxCertificate"
)
| extend
Source = "MDE_CA_Key_Backup",
Actor = InitiatingProcessAccountName,
Detail = ProcessCommandLine,
Host = DeviceName;
union Via4880, Via4688, ViaMDE
| extend
Severity = "Critical",
WhySuspicious = strcat(
"Golden_Certificate_CA_Private_Key_Backup_or_Export; ",
"Survives_krbtgt_rotation_and_password_resets; ",
"Source: ", Source, "; ",
"Actor: ", Actor, "; ",
"Detail: ", Detail
)
| project
TimeGenerated,
Severity,
WhySuspicious,
Actor,
Detail,
Source,
Host
| order by TimeGenerated descExplanation
This query is designed to detect potential "Golden Certificate" attacks, which involve the unauthorized backup or export of a Certificate Authority's (CA) private key. Such an attack allows an attacker to forge certificates for any user, posing a significant security risk.
Here's a simplified breakdown of the query:
-
Purpose: The query aims to identify suspicious activities related to the backup or export of a CA's private key, which could indicate a "Golden Certificate" attack.
-
Events Monitored:
- Event 4880: Indicates that Certificate Services have started in backup mode.
- Event 4688: Captures process creation events where certain commands (like
certutil,certipy, oropenssl) are used to perform CA backups or export private keys. - MDE DeviceProcessEvents: Monitors similar backup or export activities using Microsoft Defender for Endpoint data.
-
Detection Logic:
- The query looks back over the last 15 minutes to find relevant events.
- It checks for specific command-line arguments that suggest a CA backup or private key export is being attempted.
- It combines data from different sources (SecurityEvent logs and MDE DeviceProcessEvents) to identify suspicious activities.
-
Output:
- The results include details about the suspicious activity, such as the time it occurred, the severity (marked as "Critical"), the reason it's suspicious, the user involved (Actor), the command or event details, the source of the detection, and the host where it occurred.
- The results are sorted by the time the event was generated, with the most recent events listed first.
-
Severity and Impact:
- The severity of these events is marked as "Critical" because a stolen CA private key can have long-lasting effects, allowing attackers to bypass security measures like password resets and account removals.
Overall, this query is a security measure to detect and alert on potential unauthorized CA private key backups or exports, which could lead to severe security breaches.
