Details of the event with ID 5058 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:5058 (0x13C2)
Event log:Security
Event type:Information
Event text (English):Key file operation. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Cryptographic Parameters: Provider Name: %5 Algorithm Name: %6 Key Name: %7 Key Type: %8 Key File Operation Information: File Path: %9 Operation: Return Code:
Event text (German):Key file process. Applicant: Security ID: %1 Account name: %2 Account domain: %3 Logon ID: %4 Cryptographic parameters: Provider name: %5 Algorithm name: %6 Key name: %7 Key type: %8 Key file operation information: File path: %9 Operation: Return code:

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: SubjectUserSid (win:SID)
  • %2: SubjectUserName (win:UnicodeString)
  • %3: SubjectDomainName (win:UnicodeString)
  • %4: SubjectLogonId (win:HexInt64)
  • %5: ProviderName (win:UnicodeString)
  • %6: AlgorithmName (win:UnicodeString)
  • %7: KeyName (win:UnicodeString)
  • %8: KeyType (win:UnicodeString)
  • %9: KeyFilePath (win:UnicodeString)
  • : Operation (win:UnicodeString)
  • : ReturnCode (win:HexInt32)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

Key file operation.

Subject:
    Security ID: SYSTEM
    Account Name: CA02$
    Account Domain: INTRA
    Logon ID: 0x3E7

Process Information:
    Process ID: 1304
    Process Creation Time: 2020-08-24T15:50:54.567208200Z

Cryptographic Parameters:
    Provider Name: Microsoft Software Key Storage Provider
    Algorithm Name: UNKNOWN
    Key Name: ADCS Labor Issuing CA 1
    Key Type: Machine key.

Key File Operation Information:
    File Path: C:\ProgramData\Microsoft\Crypto\Keys\8f4d5bc6fa6fac902f5963989418f87a_b3e53438-e215-40c9-b807-b9bc9cbab7c4
    Operation: Read persisted key from file.
    Return Code: 0x0

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This event occurs when a software-based key is accessed. Correspondingly, also when a certification authority has a software key and accesses it.

It occurs together with the Event with ID 5059 of source Microsoft-Windows-Security-Auditing on.

The event occurs only when the Auditing is activated for "Other System Events".

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

This event can be evaluated as critical for integrity if there is an access to the certification authority key away from the certification authority context. The certification authority service runs in the "SYSTEM" context.

It is therefore a good idea to set up monitoring for this event and filter it using the following criteria:

  • Access is not through the "SYSTEM" account.
  • (Optional) Access is to a specific named key (see event details.

Windows Event Forwarding (WEF) example:

{QueryList}
  {Query Id="0" Path="Security"}
    {Select Path="Security"}
      *[System[(EventID='5058') or (EventID='5059')]] and
      *[EventData[Data[@Name="SubjectLogonId"] != "0x3e7"]]
    {/Select}
  {/Query}
{/QueryList}

Related links:

External sources

en_USEnglish