AN0671: Analytic 0671

Monitor for abnormal certificate enrollment and usage activity in Active Directory Certificate Services (AD CS), registry access to certificate storage locations, and unusual process executions that attempt to export or access private keys.

EnterpriseAN0671AnalyticObject v1.0 Modified Nov 12, 2025, 18:12 UTC (UTC+00:00)

This analytic matters because abnormal certificate enrollment, certificate store access, or private-key export activity in Windows environments can indicate misuse of Active Directory Certificate Services or certificate material. For leaders, the decision value is not just whether AD CS exists, but whether the organization can see and investigate unusual certificate lifecycle activity before it becomes an identity, access, or persistence risk.

Executive priority

Treat this as an identity and resilience coverage question for Windows environments using AD CS or certificate-based authentication. Security leaders should ask whether certificate enrollment, private-key access, and certificate store changes are logged, retained, and reviewable by the SOC. The priority is strongest where certificates support privileged access, remote access, device authentication, or compliance-sensitive systems, because weak visibility can leave incident responders unable to prove what identities or keys were used.

Technical view

Validate monitoring around AD CS enrollment activity, Windows certificate storage locations, registry access related to certificates, and process executions that attempt to access or export private keys. Because no ATT&CK detection logic is supplied, teams should build environment-specific baselines for normal certificate enrollment, administrative tooling, service account behavior, and legitimate key export workflows. Investigations should correlate certificate events with process execution, account context, host role, and timing to distinguish routine administration from abnormal access patterns.

Likely telemetry

Windows process execution telemetry, including command line and parent-child process context where available
AD CS certificate enrollment and certificate services logs
Windows registry access telemetry for certificate storage-related locations
Certificate store access or modification evidence
Account, host, and service account context associated with certificate enrollment or private-key access

Detection direction

Confirm whether AD CS and certificate-related Windows telemetry is actually collected from certificate authorities, administrative workstations, and relevant servers.
Baseline normal certificate enrollment volume, request patterns, requesting accounts, certificate templates, and expected administrative processes before alerting on anomalies.
Tune for unusual private-key export or access attempts, especially when performed by unexpected users, hosts, or processes.
Correlate registry access to certificate storage locations with process execution and account context to reduce false positives from legitimate certificate management tools.
Account for administrative maintenance, certificate renewal, backup, and deployment workflows as expected sources of benign activity.

Mitigation priorities

Inventory whether AD CS and certificate-based authentication are in scope for the Windows environment.
Ensure certificate authority, endpoint, registry, and process telemetry needed for investigation is enabled and retained.
Limit and review who can enroll, manage, export, or access private keys, using least-privilege administration appropriate to the environment.
Define approved workflows for certificate enrollment, renewal, backup, and key export so abnormal activity can be distinguished from routine operations.
Include certificate misuse scenarios in incident response playbooks and evidence collection procedures.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows focused on abnormal AD CS certificate enrollment and usage, registry access to certificate storage locations, and process executions involving private-key access or export. No tactics, technique relationships, procedure examples, or official detection logic were supplied, so this take emphasizes validation questions and evidence classes rather than specific alert rules.

This assessment is limited to the provided STIX fields, external reference, and absence of relationship context. It does not establish active exploitation, adversary attribution, business exposure, or guaranteed detection coverage. Local AD CS configuration, certificate usage, logging policy, endpoint coverage, and administrative workflows are required to determine priority and implement reliable detection.

Official MITRE ATT&CK definition

Analytic 0671

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 18:12 UTC (UTC+00:00)
Raw hash: 7a3fd1ee861cf5f2...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 18:12 UTC (UTC+00:00)	Current bundle	`7a3fd1ee861c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0671
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use