← Back to SOC feed Coverage →

Suspicious X509Enrollment - Process Creation

sigma MEDIUM SigmaHQ
T1553.004
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-13T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detect use of X509Enrollment

Detection Rule

Sigma (Original)

title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
    - id: 504d63cb-0dba-4d02-8531-e72981aace2c
      type: similar
status: test
description: Detect use of X509Enrollment
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'X509Enrollment.CBinaryConverter'
            - '884e2002-217d-11da-b2a4-000e7bbb2b09'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "X509Enrollment.CBinaryConverter" or TargetProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml