EXPLORE
Sign In
← Back to Explore
splunk_escuCorrelation

Steal or Forge Authentication Certificates Behavior Identified

The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.

MITRE ATT&CK

T1649

Detection Query

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
  WHERE All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system"
  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 5
| `steal_or_forge_authentication_certificates_behavior_identified_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

References

Tags

Windows Certificate Services
Raw Content
name: Steal or Forge Authentication Certificates Behavior Identified
id: 87ac670e-bbfd-44ca-b566-44e9f835518d
version: 7
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Correlation
data_source: []
description: The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.
search: |-
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
      WHERE All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system"
      BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
    | `drop_dm_object_name(All_Risk)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where source_count >= 5
    | `steal_or_forge_authentication_certificates_behavior_identified_filter`
how_to_implement: The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.
known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed.
references:
    - https://research.splunk.com/stories/windows_certificate_services/
    - https://attack.mitre.org/techniques/T1649/
drilldown_searches:
    - name: View the detection results for - "$risk_object$"
      search: '%original_detection_search% | search  risk_object = "$risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
tags:
    analytic_story:
        - Windows Certificate Services
    asset_type: Endpoint
    atomic_guid:
        - 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86
        - 78b274f8-acb0-428b-b1f7-7b0d0e73330a
        - 7617f689-bbd8-44bc-adcd-6f8968897848
    mitre_attack_id:
        - T1649
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log
          source: certs
          sourcetype: stash