Detections
Analytics

Steal or Forge Authentication Certificates

Description

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt communications and validate the identity of users, devices, or services. Certificates may also be used for authentication to access remote systems or in the process of encrypting files for ransom operations. Adversaries may steal certificates from compromised systems or forge certificates either by exploiting flaws in certificate generation software or by stealing certificate signing keys. Authentication certificates can be both user and computer certificates.

Computer certificates are often stored in the Windows Certificate Store, while user certificates are often stored in the Windows Personal Certificate Store. Adversaries may target certificates for use in accessing remote systems or services, or for use in encrypting communications.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows Credential Guard Status
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows LSA Protection Status
Tenable Identity ExposureActive DirectoryStandard AD userLDAPDomain User
Tenable Identity ExposureEntra IDStandard Entra userAPIEntra ID User
Tenable Identity ExposureEntra IDStandard Entra userAPIEntra ID Devices
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBDevice Join Status and Certificate Store

References

Windows LSA Protection Status

Windows Credential Guard Status

Microsoft Entra Joined Configuration (Windows)

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access