Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.
Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish Persistence by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as Golden Ticket ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of revocation of keys and key management. Employing certificate protection strategies such as storing in a Hardware Security Module like a TPM and checking certificate validity for those used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge authentication certificates.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-05 | Authenticator Management | mitigates | T1649 | Steal or Forge Authentication Certificates | |
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1649 | Steal or Forge Authentication Certificates | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1649 | Steal or Forge Authentication Certificates |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1649 | Steal or Forge Authentication Certificates |
Comments
Google Security Operations is able to trigger alerts based on executed commands that access where certificates are typically stored (e.g. %APPDATA%\Microsoft\SystemCertificates\My\Certificates\).
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1649 | Steal or Forge Authentication Certificates |
Comments
Amazon GuardDuty finding AttackSequence:IAM/CompromisedCredentials can aid in the detection of compromised credentials.
References
|
| aws_cloudhsm | AWS CloudHSM | technique_scores | T1649 | Steal or Forge Authentication Certificates |
Comments
This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.
References
|