Detectionlowtest

Active Directory Certificate Services Denied Certificate Enrollment Request

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@serkinvaleryCreated Thu Mar 07994bfd6d-0a2e-481e-a861-934069fcf5f5windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: 'Microsoft-Windows-CertificationAuthority'
        EventID: 53
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0005 · Defense Evasion

Sub-techniques

T1553.004 · Install Root Certificate

Rule Metadata

Rule ID

994bfd6d-0a2e-481e-a861-934069fcf5f5

Status

test

Level

low

Type

Detection

Created

Thu Mar 07

Author

@serkinvalery

Path

rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml

Raw Tags

attack.credential-accessattack.defense-evasionattack.t1553.004

View on GitHub