Methods to detect when a certificate is exported from a Windows system are discussed in detail below using the audit log “Certificate Services Lifecycle Notifications” and collecting the log messages with “MS Windows Event Logging XML – Generic” log source type, and focusing on Event ID 1007. We also demonstrate using WebUI searches and an AIE rule looking for command line observations of Mimikatz, certutil, or ADFSDump that indicate a suspicious certificate export.
As part of the SolarWinds attack by FireEye’s Identifier UNC2452, the adversary utilized a Golden SAML attack to move laterally to the cloud. In summary of the key findings, the attacker moved laterally by extracting the private key from the ADFS server, and generating a false SAML authentication message, granting them access to Microsoft Azure.
By first focusing on a rare activity (certificate export) and further refining the focus to critical servers (where private keys are held), we can surface high-risk certificate exports, thus providing a quick win for security operations center (SOC) analysts and incident responders.
In this blog, you will learn how an analyst using the LogRhythm NextGen SIEM can collect an audit log that doesn’t have a defined log source type yet and leverage that log to detect when a certificate has been exported. We will also cover WebUI searches that an analyst can perform today to search for possible certificate export activity. The method we describe in searching the WebUI will become the basis for a future AIE rule in the MITRE ATT&CK module.
Certificate Services Lifecycle Notifications is a great audit log for identifying when certificates have been exported. Although, as of this writing, LogRhythm doesn’t have a dedicated log source type for this audit log, LogRhythm customers can use the “MS Windows Event Logging XML – Generic” log source type to collect from this audit log. You’ll quickly realize the benefits because you will have an actionable log that can be turned into an AIE Event and optionally an alarm whenever certificates have been exported. The reason why this is considered an actionable alert, especially when coupled with monitoring critical systems in which private keys are stored, is that a key export is typically a rare event, and the change control activity around such an event should be well known in advance. The following are steps on how a LogRhythm customer can collect the audit log, create an AIE Event for the detection, and alarm on the event.
Another method of extracting the self-signed certificate is to use the following commands in PowerShell:
You can verify the logs have been generated from your test by using Event Viewer on the system you tested on, and navigating to the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational audit log.
Here is an example of the audit logs being generated as part of the test:
Using the WebUI, perform the following steps:
Please keep in mind that the “Generic” log source isn’t meant to parse out all relevant information, but the information we are presented with is valuable enough to construct an AI Engine rule with. Also note that the “Log Message” tab will display the full log message which will be helpful to an analyst in understanding what Thumbprint was extracted.
Here’s an example of “Log Message”:
Create a new rule using the AI Engine Rule Wizard. The following are steps to populate the rule logic:
Your AIE rule should look something like this:
Next, enable your AIE rule.
When Sygnia released their advisory on the Golden SAML attack, they listed “Identifying certificate export events in ADFS” as a method of detection. You can use the information here to run threat hunts or build your own AIE rule. We will look at detecting three different methods of exporting certificates (Certutil, Mimikatz, and ADFSDump) with three different log sources (Security, PowerShell, and Sysmon). Use of these tools on an ADFS server should be highly scrutinized. Please note that two of these searches use pattern matches. We are showing the SQL pattern match format used for Web Console searches. Specifying log sources for the search will improve performance.
Certutil.exe is a command line tool that is part of Microsoft’s Certificate Services.
Search Criteria: (VMID = 1 OR 4104 OR 4688) AND (Command = sql:%-exportPFX%)
Mimikatz should need no introduction. This free online tool can do many things including extracting passwords, hashes, and certificates.
Search Criteria: (VMID = 1 OR 4104 OR 4688) AND (Command = sql:%crypto::% OR sql:% sekurlsa::%)
ADFSDump is another free online tool. It extracts information from Active Directory and the ADFS Configuration Database. This requires logging Sysmon Event ID 18.
Search Criteria: (VMID = 18) AND (Object = \MICROSOFT##WID\tsql\query)
This search looks for a frequently used pipe, so you may have to look at the process using it and exclude legitimate processes like Microsoft.IdentityServer.ServiceHost.exe. In our test case, the Process Name was ADFSDump.exe.
The previous searches can be combined into one AIE rule. This rule contains two include filters and one exclude filter. The commands in the second include filter are entered as regex matches (REGEX NO CASE). Figure 12 shows that the rule is set to “All Log Sources”. In production, the rule is meant to look at log sources on your ADFS server.
Protecting private keys is paramount and Microsoft has provided a Best practices for securing Active Directory Federation Services document that should be followed. Logging your most critical systems that contain private keys is equally important. Microsoft has also provided guidance on AD FS Troubleshooting – Events and Logging.
Using the information in this blog, you can look for possible certificate exports that could indicate a compromise. LogRhythm Labs will be releasing detections as they relate to the MITRE ATT&CK techniques in the near future. In the meantime, please feel free to reach out to us on the LogRhythm Community.
We expect to see a lot more Golden SAML attacks this year. To learn about how to detect and respond to these threats, tune into this webinar with Randy Franklin Smith and LogRhythm Labs. You will learn more on:
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…