EXPLORE
Sign In
← Back to Explore
T1649

Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Auth...

WindowsLinuxmacOSIdentity Provider
24
Detections
3
Sources
1
Threat Actors

BY SOURCE

18splunk_escu4sigma2elastic

PROCEDURES (20)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Event Log2 detections

Auto-extracted: 2 detections for event log

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Script Block2 detections

Auto-extracted: 2 detections for script block

Token1 detections

Auto-extracted: 1 detections for token

Privilege1 detections

Auto-extracted: 1 detections for privilege

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Service1 detections

Auto-extracted: 1 detections for service

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Service1 detections

Auto-extracted: 1 detections for service

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Script Block1 detections

Auto-extracted: 1 detections for script block

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Credential1 detections

Auto-extracted: 1 detections for credential

Token1 detections

Auto-extracted: 1 detections for token

THREAT ACTORS (1)

APT29

DETECTIONS (24)

Access to a Sensitive LDAP Attribute
elasticmedium
Certificate Exported From Local Certificate Store
sigmamedium
Certificate Private Key Acquired
sigmamedium
Certutil exe certificate extraction
splunk_escu
Detect Certify Command Line Arguments
splunk_escu
Detect Certify With PowerShell Script Block Logging
splunk_escu
Detect Certipy File Modifications
splunk_escu
HackTool - Certify Execution
sigmahigh
HackTool - Certipy Execution
sigmahigh
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Steal or Forge Authentication Certificates Behavior Identified
splunk_escu
Windows Export Certificate
splunk_escu
Windows Mimikatz Crypto Export File Extensions
splunk_escu
Windows PowerShell Export Certificate
splunk_escu
Windows PowerShell Export PfxCertificate
splunk_escu
Windows Steal Authentication Certificates - ESC1 Abuse
splunk_escu
Windows Steal Authentication Certificates - ESC1 Authentication
splunk_escu
Windows Steal Authentication Certificates Certificate Issued
splunk_escu
Windows Steal Authentication Certificates Certificate Request
splunk_escu
Windows Steal Authentication Certificates CertUtil Backup
splunk_escu
Windows Steal Authentication Certificates CryptoAPI
splunk_escu
Windows Steal Authentication Certificates CS Backup
splunk_escu
Windows Steal Authentication Certificates Export Certificate
splunk_escu
Windows Steal Authentication Certificates Export PfxCertificate
splunk_escu