Detections
Analytics
Steal or Forge Authentication Certificates
Description
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt communications and validate the identity of users, devices, or services. Certificates may also be used for authentication to access remote systems or in the process of encrypting files for ransom operations. Adversaries may steal certificates from compromised systems or forge certificates either by exploiting flaws in certificate generation software or by stealing certificate signing keys. Authentication certificates can be both user and computer certificates.
Computer certificates are often stored in the Windows Certificate Store, while user certificates are often stored in the Windows Personal Certificate Store. Adversaries may target certificates for use in accessing remote systems or services, or for use in encrypting communications.
Computer certificates are often stored in the Windows Certificate Store, while user certificates are often stored in the Windows Personal Certificate Store. Adversaries may target certificates for use in accessing remote systems or services, or for use in encrypting communications.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: Steal or Forge Authentication Certificates
Products Required: Tenable Identity Exposure or Tenable Vulnerability Management