MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1649: Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.

Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs. With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.

Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.

Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish Persistence by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates). Adversaries may also target certificates and related services in order to access other forms of credentials, such as Golden Ticket ticket-granting tickets (TGT) or NTLM plaintext.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-1362: Subrule_Remote_Credential_Theft_by_Masky: Subrule for Remote_Credential_Theft_by_Masky rule that detects downloading of the Masky agent to an attacked host and creating files with Masky results
mitre_attck_cred_access: PT-CR-1363: Masky_Tool_Usage: The use of the Masky tool is detected. Masky tool is designed to obtain NT hashes and TGT of users working on attacked hosts in order to request certificates on their behalf.
mitre_attck_cred_access: PT-CR-1366: Remote_Credential_Theft_by_Masky: The use of the Masky tool is detected. The Masky tool is designed to obtain TGT and NT hashes of users working on attacked hosts by requesting certificates on their behalf.
mssql_database: PT-CR-411: MSSQL_dump_key_or_certificate: An attempt to dump an encryption key or database certificate
active_directory_attacks: PT-CR-828: ADCS_Recon: An LDAP query to search for certificate servers in the network was executed. Attackers can exploit AD CS to steal credentials and gain persistence in the system.
active_directory_attacks: PT-CR-834: Enable_SAN_Flag_CA_Policy: The EDITF_ATTRIBUTESUBJECTALTNAME2 flag, which allows any user to add the Subject Alternative Name attribute to the certificate signing request, is installed on the certificate server. Using this flag may allow attackers to authenticate on behalf of another user, including the domain administrator
active_directory_attacks: PT-CR-1215: CA_Cert_Export: A CA certificate has been exported, which can be used to issue valid certificates to any user without knowing their password. This allows an attacker to completely compromise the domain
active_directory_attacks: PT-CR-1216: Golden_Cert: TGTs are requested with a compromised CA certificate, and the attacker can unpack the hashes of all domain users, which equals to domain compromise
active_directory_attacks: PT-CR-2100: ADCSync_Attack: DCSync attack to obtain NTLM hashes of Active Directory user accounts using AD CS certificates
active_directory_attacks: PT-CR-2101: Bulk_Certs_Allowed_to_One_User: A bulk of certificates was issued to one user. This may indicate the use of the ADCSync utility that creates a request for each user, stores their PFX file in the certificate directory, and then tries to authenticate with the certificate and retrieve the NT hash for each user.
active_directory_attacks: PT-CR-2470: Cert_Request_and_Approved_with_Alt_SAN: A certificate with an alternative name is requested for an account. An attacker can use misconfigured AD CS certificate templates to impersonate an administrator and create additional authentication certificates.

Detection

IDDS0026Data source and componentActive Directory: Active Directory Credential RequestDescription

Monitor AD CS certificate requests (ex: EID 4886) as well as issued certificates (ex: EID 4887) for abnormal activity, including unexpected certificate enrollments and signs of abuse within certificate attributes (such as abusable EKUs).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor for the execution of commands and other utilities abused to forge and/or steal certificates and related private keys.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Ensure CA audit logs are enabled and monitor these services for signs of abuse.

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes to CA attributes and settings, such as AD CS certificate template modifications (ex: EID 4899/4900 once a potentially malicious certificate is enrolled).

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (Schannel, associated with SSL/TLS) is highlighted as the Logon Process associated with an EID 4624 logon event.

IDDS0024Data source and componentWindows Registry: Windows Registry Key AccessDescription

Monitor for attempts to access information stored in the Registry about certificates and their associated private keys. For example, user certificates are commonly stored under HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for attempts to access files that store information about certificates and their associated private keys. For example, personal certificates for users may be stored on disk in folders such as %APPDATA%\Microsoft\SystemCertificates\My\Certificates\.

Mitigation

IDM1015NameActive Directory ConfigurationDescription

Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes.

For example, consider disabling the usage of AD CS certificate SANs within relevant authentication protocol settings to enforce strict user mappings and prevent certificates from authenticating as other identifies. Also consider enforcing CA Certificate Manager approval for the templates that include SAN as an issuance requirement.

IDM1042NameDisable or Remove Feature or ProgramDescription

Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.

IDM1041NameEncrypt Sensitive InformationDescription

Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection for Authentication.

IDM1047NameAuditDescription

Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (certsrv.msc). certutil.exe can also be used to examine various information within an AD CS CA database.