Windows Certificate Export: Detections Inspired by the SolarWinds Compromise

Windows keyboard

TL/DR

Methods to detect when a certificate is exported from a Windows system are discussed in detail below using the audit log “Certificate Services Lifecycle Notifications” and collecting the log messages with “MS Windows Event Logging XML – Generic” log source type, and focusing on Event ID 1007. We also demonstrate using WebUI searches and an AIE rule looking for command line observations of Mimikatz, certutil, or ADFSDump that indicate a suspicious certificate export.

Detect High-Risk Certificate Exports with LogRhythm

As part of the SolarWinds attack by FireEye’s Identifier UNC2452, the adversary utilized a Golden SAML attack to move laterally to the cloud. In summary of the key findings, the attacker moved laterally by extracting the private key from the ADFS server, and generating a false SAML authentication message, granting them access to Microsoft Azure.

By first focusing on a rare activity (certificate export) and further refining the focus to critical servers (where private keys are held), we can surface high-risk certificate exports, thus providing a quick win for security operations center (SOC) analysts and incident responders.

In this blog, you will learn how an analyst using the LogRhythm NextGen SIEM can collect an audit log that doesn’t have a defined log source type yet and leverage that log to detect when a certificate has been exported. We will also cover WebUI searches that an analyst can perform today to search for possible certificate export activity. The method we describe in searching the WebUI will become the basis for a future AIE rule in the MITRE ATT&CK module.

Actionable Logs for Easier Detection

Microsoft Audit Log: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational

Certificate Services Lifecycle Notifications is a great audit log for identifying when certificates have been exported. Although, as of this writing, LogRhythm doesn’t have a dedicated log source type for this audit log, LogRhythm customers can use the “MS Windows Event Logging XML – Generic” log source type to collect from this audit log. You’ll quickly realize the benefits because you will have an actionable log that can be turned into an AIE Event and optionally an alarm whenever certificates have been exported. The reason why this is considered an actionable alert, especially when coupled with monitoring critical systems in which private keys are stored, is that a key export is typically a rare event, and the change control activity around such an event should be well known in advance. The following are steps on how a LogRhythm customer can collect the audit log, create an AIE Event for the detection, and alarm on the event.

Log Source Configuration of Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational using MS Windows Event Logging XML – Generic Log Source Type

  1. In the LogRhythm Deployment Manager within the console, select the “System Monitors” tab.
  2. Locate the system where you would like to add the log collection.
  3. Create a new “Log Message Source”.
  4. Under “Log Message Source Type”, select “System : MS Windows Event Logging XML – Generic”.

    Log message source properties
    Figure 1. Log Source Type Selector: Select “System : MS Windows Event Logging XML – Generic”
  5. Change the “Log Message Processing Engine (MPE) Policy” to “LogRhythm Default”.
  6. Example of configured Log Message Source Properties:

    log source type selector
    Figure 2 Log Message Source Properties: Most notable, change the Log Message Source Name to something descriptive like Generic Microsoft-Windows-Certificate
  7. Select the “Flat File Settings” tab, and enter the following for “File Path”:
  8. localhost:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
  9. Click on OK when done.

Generate Log Sample Test

  1. Perform the following as Administrator using PowerShell on the system you are collecting from.
  2. Type the following in the command line and press enter after each step:
    • Set-Location Cert:\LocalMachine\My
    • New-SelfSignedCertificate -DnsName “test.local”, “www.test.local” -CertStoreLocation “cert:\LocalMachine\My”
    • Get-ChildItem
      • Note the Thumbprint number as in this example:

        PowerShell command
        Figure 3. Generate a log sample test using PowerShell
      • Copy the Thumbprint number and paste it into the following command: exe -exportPFX My ThumbprintNumber C:\path\testCertExport.pfx
      • Enter the ThumbprintNumber and the path for where you would like PFX file to be written to.
  3. If prompted for a password, provide one.

Another method of extracting the self-signed certificate is to use the following commands in PowerShell:

  1. $mypwd = ConvertTo-SecureString -String “password” -Force -AsPlainText
    • In the place of password provide the password you would like to use.
  2. Get-ChildItem -Path cert:\localMachine\my\ThumbprintNumber | Export-PfxCertificate -FilePath C:\path\mypfx.pfx -Password $mypwd
    • Enter the ThumbprintNumber and the path for where you would like PFX file to be written to.

You can verify the logs have been generated from your test by using Event Viewer on the system you tested on, and navigating to the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational audit log.

Here is an example of the audit logs being generated as part of the test:

Audit Logs
Figure 4. Event Viewer: CertificateServicesClient-Lifecycle-System/Operational audit log containing the 1007 events detailing the “Certificate has been exported”

View Log in LogRhythm

Using the WebUI, perform the following steps:

  1. Perform a Search
    • Click on “Log Source Filter” and select the log source you created.
      • A quick way to filter is to use the “Type” dropdown field, and type without the quotes “generic”, and select “MS Windows Event Logging XML – Generic”.
      • Select the log source you created to collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational.
    • Click OK when done.
  1. Select the timeframe you wish to search.
  2. Remove all additional criteria for the search in order to bring back all logs associated with that log source.
  3. Click on Search.
  1. View the results in the Analyzer Grid.
    • Example:

Analyzer Grid

    Figure 5. WebUI Analyst Grid and Event Details of Vendor Message ID (VMID 1007)

Please keep in mind that the “Generic” log source isn’t meant to parse out all relevant information, but the information we are presented with is valuable enough to construct an AI Engine rule with. Also note that the “Log Message” tab will display the full log message which will be helpful to an analyst in understanding what Thumbprint was extracted.

Here’s an example of “Log Message”:

Log Message details
Figure 6. Log Message details. Viewing the details will show the analyst what was exported

Constructing the AI Engine Rule

Create a new rule using the AI Engine Rule Wizard. The following are steps to populate the rule logic:

  1. Add a new Log Observed block.
  2. In the Primary Filter, add the following criteria:
    • Log Source Type: MS Windows Event Logging XML – Generic
    • Process Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
    • Vendor Message ID: 1007
  3. In the Group By tab, select the following:
    • Host (Impacted)
    • User (Origin)
    • Vendor Message ID
  4. Click OK when done constructing the Rule Block.
  5. Click on the Settings tab, and configure the following:
    • Classification:
      • You could use something like “Security : Compromise” or “Security : Suspicious” depending on how you create custom AIE rules in your environment. Since this activity should be rare, and if not known to be part of change control activity, choosing “Security : Compromise” would be a valid selection.
    • Risk Rating: In our example, we choose Security : Compromise for our Classification, so our Risk Rating should be 9 – High-High.
    • Enable “Alarm on event occurrence”.
    • Change False Positive Probability (FPP) to “0 – None”.
      • You may want to adjust this value based on your observations in production.
    • You may need to adjust Rule Set if you have multiple AIE servers.
  6. Click on the Information tab, and configure the following:
    • Name your rule.
      • Example: test_Windows Certificate Export
    • Change the Rule Group to a group that best matches your environment. If this is the first time creating a custom AIE rule, you may want to create a rule group called “Custom”.
    • In the Brief Description field, you may want to enter something similar to:
      • Custom AIE rule to detect Windows Certificate Export.
    • In the Additional Details field, you may want to enter something similar to:
      • Custom AIE rule based on LogRhythm blog to detect Windows Certificate Export. This technique of unauthorized certificate extraction was observed by adversary UNC2452 as part of the SolarWinds compromise.
  7. Click OK to complete the AIE rule.

Your AIE rule should look something like this:

AI Engine Rule Wizard
Figure 7. AI Engine Rule Wizard

Next, enable your AIE rule.

Detect Certificate Export with Endpoint Log Sources

When Sygnia released their advisory on the Golden SAML attack, they listed “Identifying certificate export events in ADFS” as a method of detection. You can use the information here to run threat hunts or build your own AIE rule. We will look at detecting three different methods of exporting certificates (Certutil, Mimikatz, and ADFSDump) with three different log sources (Security, PowerShell, and Sysmon). Use of these tools on an ADFS server should be highly scrutinized. Please note that two of these searches use pattern matches. We are showing the SQL pattern match format used for Web Console searches. Specifying log sources for the search will improve performance.

1. Certutil

Certutil.exe is a command line tool that is part of Microsoft’s Certificate Services.

Search Criteria: (VMID = 1 OR 4104 OR 4688) AND (Command = sql:%-exportPFX%)

WebUI Search
Figure 8. WebUI Search criteria looking for VMID 1, 4104, or 4688 AND where “-exportPFX” exists in the Command line

2. Mimikatz

Mimikatz should need no introduction. This free online tool can do many things including extracting passwords, hashes, and certificates.

Search Criteria: (VMID = 1 OR 4104 OR 4688) AND (Command = sql:%crypto::% OR sql:% sekurlsa::%)

Mimikatz WebUI search
Figure 9. WebUI Search criteria looking for VMID 1, 4104, or 4688 AND “crypto::” or “sekurlsa::” exist in the Command line

3. ADFSDump

ADFSDump is another free online tool. It extracts information from Active Directory and the ADFS Configuration Database. This requires logging Sysmon Event ID 18.

Search Criteria: (VMID = 18) AND (Object = \MICROSOFT##WID\tsql\query)

ADFSDump WebUI Search
Figure 10. WebUI Search criteria looking for VMID 18 AND the named pipe being parsed in the Object field

This search looks for a frequently used pipe, so you may have to look at the process using it and exclude legitimate processes like Microsoft.IdentityServer.ServiceHost.exe. In our test case, the Process Name was ADFSDump.exe.

WebUI Event Details
Figure 11. WebUI Event details of the observed log message

AIE Rule

The previous searches can be combined into one AIE rule. This rule contains two include filters and one exclude filter. The commands in the second include filter are entered as regex matches (REGEX NO CASE). Figure 12 shows that the rule is set to “All Log Sources”. In production, the rule is meant to look at log sources on your ADFS server.

AIE Rule
Figure 12. AIE Rule set to all log sources

Protecting Private Keys

Protecting private keys is paramount and Microsoft has provided a Best practices for securing Active Directory Federation Services  document that should be followed. Logging your most critical systems that contain private keys is equally important. Microsoft has also provided guidance on AD FS Troubleshooting – Events and Logging.

Using the information in this blog, you can look for possible certificate exports that could indicate a compromise. LogRhythm Labs will be releasing detections as they relate to the MITRE ATT&CK techniques in the near future. In the meantime, please feel free to reach out to us on the LogRhythm Community.

Learn More About Golden SAML Attacks

We expect to see a lot more Golden SAML attacks this year. To learn about how to detect and respond to these threats, tune into this webinar with Randy Franklin Smith and LogRhythm Labs. You will learn more on:

  • How attackers exploited selected installations of the SUNBURST backdoor
  • How a Golden SAML attack works
  • Possible ways to mitigate via preventive controls
  • Methods for detection via SIEM rules and threat hunting
  • What Office 365 logs do and don’t tell us about federated logins