Certificate Exported in Microsoft-Windows-Folder Redirection/Operational

[djlukic]

Rule UUID

58c0bff0-40a0-46e8-b5e8-b734b84d2017

Example EventLog

• System

  • Provider

  [ Name] Microsoft-Windows-Folder Redirection [ Guid] {7d7b0c39-93f6-4100-bd96-4dda859652c5}

  EventID 1007

  Version 0

  Level 4

  Task 0

  Opcode 0

  Keywords 0x4000000000000000

  • TimeCreated

  [ SystemTime] 2024-07-10T17:09:33.6552053Z

  EventRecordID 34798

  • Correlation

  [ ActivityID] {75ddd9f5-896d-4092-b383-1ff7cda1fe02}

  • Execution

  [ ProcessID] 2068 [ ThreadID] 11028

  Channel Microsoft-Windows-Folder Redirection/Operational

  Computer redacted

  • Security

  [ UserID] S-1-5-18

Description

Hi,

I am trying to understand why is Certificate Exported rule hitting on Windows Folder Redirection source. Do you have any idea or this is simply due to same Event ID number 1007?

Thank you.

[frack113]

Hi, The rule 58c0bff0-40a0-46e8-b5e8-b734b84d2017 is using the logsource service: certificateservicesclient-lifecycle-system. From the sigma taxonomy it should check Channel: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational.

<Providers>
    <Provider>
        <Name>Microsoft-Windows-CertificateServicesClient-Lifecycle-System</Name>
        <Metadata>
            <Guid>{BC0669E1-A10D-4A78-834E-1CA3C806C93B}</Guid>
            <ResourceFilePath>%SystemRoot%\system32\certenroll.dll</ResourceFilePath>
            <ParameterFilePath></ParameterFilePath>
            <MessageFilePath>%SystemRoot%\system32\certenroll.dll</MessageFilePath>
            <HelpLink></HelpLink>
            <PublisherMessage>Microsoft-Windows-CertificateServicesClient-Lifecycle-System</PublisherMessage>
            <Channels>
                <Channel>
                    <Message></Message>
                    <Path>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Path>
                    <Index>0</Index>
                    <Id>16</Id>
                    <Imported>false</Imported>
                </Channel>
            </Channels>
</Template>
            </Event>
            <Event>
                <Id>1007</Id>
                <Version>0</Version>
                <Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel>
                <Level>Information</Level>
                <Message><![CDATA[
A certificate has been exported. Please refer to the "Details" section for more information.]]></Message>
                <Template><![CDATA[
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">

  <data name="EventWriteData" inType="win:UnicodeString" outType="win:Xml"/>

</template>

I think these part is missing on your configuration.

[djlukic]

Is this something that I need to configure or this will be a part of next Sigma release?

[nasbench]

This is dependent on the tool you're using. It has nothing to do with release. What's the tool you're using to match the rules?

[djlukic]

I use a custom made tool that I am still learning about and I can't share any more info about it. But these information that you helped me with are exactly what I need so thank you for that. Is there a template for taxonomy config that I can find somewhere?

EDIT: I am still learning about Sigma so please forgive me if I ask some very basic questions.

[nasbench]

2 good resources to look at are https://sigmahq.io/docs/guide/getting-started.html and https://github.com/SigmaHQ/sigma-specification which contains all the info you need on building a good ingestion pipelines for your tool.

The taxonomy was linked by frack but here is the link https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-taxonomy-appendix.md

Hope this helps.

A small side note, in this case probably its best to create discussions instead of issues. As it's best suited for that.