Create Suspicious_Access_Attempt_to_the_cert Windows_Share_Possible_C…

[NinnessOtu]

This rule detects attempts to access the Windows share IPC with the specific target name "cert," which could indicate unauthorized certificate requests. This behavior has been linked to tools such as Certipy.

[github-actions]

Welcome @NinnessOtu 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[nasbench]

Hey @NinnessOtu and thanks for your contribution. Please provide logs evidence for EID 5145 as well as better context for why this is interesting to look for by providing perhaps actually references to blogs or sandboxes that made use of this technique.

[NinnessOtu]

hello @nasbench
actually during my research into the behavior of the Certipy tool, I discovered a particular aspect of how it operates.
When Certipy is used to make any certificate request, it communicates through the \pipe\cert pipe on AD CS.

For example, when running the following command:

certipy req -u sigmapoc -p P@ssword -dc-ip 10.0.10.180 -ca TCA01-CA -template ESC2_TEST -target TCA01.domain.LOCAL -debug

The output (from Certipy v4.8.2 by Oliver Lyak) provides details of the connection process:

[+] Trying to resolve 'TCA01.domain.LOCAL' at '10.0.10.182'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.0.10.182[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.0.10.182[\pipe\cert]

Here are the logs :

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>5145</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12811</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2024-11-07T18:36:41.632462600Z" /> 
  <EventRecordID>211680</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="284" /> 
  <Channel>Security</Channel> 
  <Computer>TCA01.domain.LOCAL</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-1785001660-2072756767-72384860-1103</Data> 
  <Data Name="SubjectUserName">sigmapoc</Data> 
  <Data Name="SubjectDomainName">domain</Data> 
  <Data Name="SubjectLogonId">0x112e27</Data> 
  <Data Name="ObjectType">File</Data> 
  <Data Name="IpAddress">10.0.10.1</Data> 
  <Data Name="IpPort">39042</Data> 
  <Data Name="ShareName">\\*\IPC$</Data> 
  <Data Name="ShareLocalPath" /> 
  <Data Name="RelativeTargetName">cert</Data> 
  <Data Name="AccessMask">0x3</Data> 
  <Data Name="AccessList">%%4416 %%4417</Data> 
  <Data Name="AccessReason">-</Data> 
  </EventData>
  </Event