From bcedce923fc2e4c9a7f2a09a0a2642338c75cf1a Mon Sep 17 00:00:00 2001 From: tr0mb1r Date: Fri, 8 Mar 2024 04:33:56 +0400 Subject: [PATCH] Merge PR #4730 from @tr0mb1r - Add `Active Directory Certificate Services Denied Certificate Enrollment Request` new: Active Directory Certificate Services Denied Certificate Enrollment Request --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._system_adcs_enrollment_request_denied.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml new file mode 100644 index 000000000..cbf709c13 --- /dev/null +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -0,0 +1,25 @@ +title: Active Directory Certificate Services Denied Certificate Enrollment Request +id: 994bfd6d-0a2e-481e-a861-934069fcf5f5 +status: experimental +description: | + Detects denied requests by Active Directory Certificate Services. + Example of these requests denial include issues with permissions on the certificate template or invalid signatures. +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) + - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +author: '@SerkinValery' +date: 2024/03/07 +tags: + - attack.credential_access + - attack.t1553.004 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Microsoft-Windows-CertificationAuthority' + EventID: 53 + condition: selection +falsepositives: + - Unknown +level: low