EXPLORE
Sign In
← Back to Explore
T1649

Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Auth...

WindowsLinuxmacOSIdentity Provider
25
Detections
4
Sources
1
Threat Actors

BY SOURCE

18splunk_escu4sigma2elastic1kql

PROCEDURES (22)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Event Log2 detections

Auto-extracted: 2 detections for event log

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Service1 detections

Auto-extracted: 1 detections for service

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Script Block1 detections

Auto-extracted: 1 detections for script block

Script Block1 detections

Auto-extracted: 1 detections for script block

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Credential1 detections

Auto-extracted: 1 detections for credential

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (1)

APT29

DETECTIONS (25)

Access to a Sensitive LDAP Attribute
elasticmedium
Certificate Exported From Local Certificate Store
sigmamedium
Certificate Private Key Acquired
sigmamedium
Certutil exe certificate extraction
splunk_escu
Detect Certify Command Line Arguments
splunk_escu
Detect Certify With PowerShell Script Block Logging
splunk_escu
Detect Certipy File Modifications
splunk_escu
HackTool - Certify Execution
sigmahigh
HackTool - Certipy Execution
sigmahigh
Kerberos attacks
kql
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Steal or Forge Authentication Certificates Behavior Identified
splunk_escu
Windows Export Certificate
splunk_escu
Windows Mimikatz Crypto Export File Extensions
splunk_escu
Windows PowerShell Export Certificate
splunk_escu
Windows PowerShell Export PfxCertificate
splunk_escu
Windows Steal Authentication Certificates - ESC1 Abuse
splunk_escu
Windows Steal Authentication Certificates - ESC1 Authentication
splunk_escu
Windows Steal Authentication Certificates Certificate Issued
splunk_escu
Windows Steal Authentication Certificates Certificate Request
splunk_escu
Windows Steal Authentication Certificates CertUtil Backup
splunk_escu
Windows Steal Authentication Certificates CryptoAPI
splunk_escu
Windows Steal Authentication Certificates CS Backup
splunk_escu
Windows Steal Authentication Certificates Export Certificate
splunk_escu
Windows Steal Authentication Certificates Export PfxCertificate
splunk_escu