x509 public key infrastructure cert

Hunt Hypothesis

The detection rule identifies potential misuse of x.509 certificates in a public key infrastructure setup, which could indicate unauthorized certificate generation or impersonation activities. SOC teams should proactively hunt for this behavior to uncover adversarial attempts to establish rogue certificates and compromise internal trust relationships within their Azure Sentinel environment.

YARA Rule

rule x509_public_key_infrastructure_cert
{	meta:
		desc = "X.509 PKI Certificate"
		ext = "crt"
	strings:
		$c0 = { 30 82 ?? ?? 30 82 ?? ?? }
	condition: 
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Certificate Authority (CA) Certificate Installation
  Description: A system administrator installs a new CA certificate to enable secure communication between internal services.
  Filter/Exclusion: process.name != "certutil.exe" OR process.name != "manage-bde.exe" (exclude known CA management tools)

• Scenario: Scheduled Job for Certificate Renewal
  Description: A scheduled task runs to renew expired certificates using a certificate management tool like certutil.exe.
  Filter/Exclusion: process.name == "certutil.exe" AND event_id == 1211 (exclude specific renewal event IDs)

• Scenario: Admin Task to Export Certificates
  Description: An administrator exports a certificate from the local machine store using certmgr.exe for backup or transfer purposes.
  Filter/Exclusion: process.name == "certmgr.exe" AND event_id == 1210 (exclude certificate export events)

• Scenario: Code Signing Certificate Usage
  Description: A developer signs a script or executable using a code signing certificate, which may trigger the rule due to the presence of a public key infrastructure (PKI) certificate.
  Filter/Exclusion: process.name == "signtool.exe" OR process.name == "osslsigncode" (exclude known code signing tools)

• Scenario: TLS/SSL Certificate Inspection by Security Software
  Description: A security tool like Cisco Umbrella or Microsoft Defender for Endpoint inspects TLS/SSL traffic and extracts certificate information, which may match the detection rule.
  Filter/Exclusion: process.name == "umbrella.exe" OR process.name == "microsoft Defender for Endpoint" (exclude known security inspection tools)