Steal or Forge Authentication Certificates
Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned) Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish Persistence by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as Golden Ticket ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)
Procedure Examples |
|
Name | Description |
---|---|
AADInternals |
AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.(Citation: AADInternals Documentation) |
APT29 |
APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.(Citation: Mandiant APT29 Trello) |
Mimikatz |
Mimikatz's `CRYPTO` module can create and export various types of authentication certificates.(Citation: Adsecurity Mimikatz Guide) |
Mitigations |
|
Mitigation | Description |
---|---|
Active Directory Configuration |
Implement robust Active Directory configurations using group policies to control access and reduce the attack surface. Specific examples include: * Account Configuration: Use provisioned domain accounts rather than local accounts to leverage centralized control and auditing capabilities. * Interactive Logon Restrictions: Enforce group policies that prohibit interactive logons for accounts that should not directly access systems. * Remote Desktop Settings: Limit Remote Desktop logons to authorized accounts to prevent misuse by adversaries. * Dedicated Administrative Accounts: Create specialized domain-wide accounts that are restricted from interactive logons but can perform specific tasks like installations or repository access. * Authentication Silos: Configure Authentication Silos in Active Directory to create access zones with restrictions based on membership in the Protected Users global security group. This setup enhances security by applying additional protections to high-risk accounts, limiting their exposure to potential attacks. |
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Encrypt Sensitive Information |
Protect sensitive information with strong encryption. |
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
References
- Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022.
- TheWover. (2021, April 21). CertStealer. Retrieved August 2, 2022.
- Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.
- Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
- Schroeder, W. (2021, June 17). Certified Pre-Owned. Retrieved August 2, 2022.
- Microsoft. (2016, August 31). Active Directory Certificate Services Overview. Retrieved August 2, 2022.
- HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
- Wolfram, J. et al. (2022, April 28). Trello From the Other Side: Tracking APT29 Phishing Campaigns. Retrieved August 3, 2022.
- HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022.
- HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.