窃取或伪造身份认证证书

窃取或伪造身份认证证书是指攻击者通过非法手段获取或生成数字证书，用于伪装合法身份实施网络攻击的技术。数字证书通常用于签署和加密消息或文件，也是身份验证的重要材料。攻击者可以通过多种方式窃取这些证书，包括从注册表、文件系统或浏览器内存中提取AD CS证书，利用API直接访问Windows证书存储，或通过社交工程手段诱导用户泄露证书。此外，攻击者还可能通过获取根证书的私钥，创建伪造的"金证书"，从而长期伪装成合法实体，绕过多因素认证和其他安全措施。该技术可被用于横向移动、权限提升及持久化等攻击阶段，传统防御主要依赖证书吊销检查、密钥存储保护及证书策略强化等手段，如监控异常证书注册请求、实施证书透明度日志审计等。

匿迹技术的演进导致传统基于证书吊销列表和签名验证的防护体系面临根本性挑战，防御方需构建证书行为分析、密钥使用模式识别等深度检测能力，实施基于零信任的持续身份验证机制，并通过硬件级密钥保护技术强化CA系统安全性，方能有效应对新型证书伪造威胁。

ID: T1649

Sub-techniques: No sub-techniques

ⓘ

Tactic: 凭据获取

ⓘ

Platforms: Identity Provider, Linux, Windows, macOS

Contributors: Lee Christensen, SpecterOps; Thirumalai Natarajan, Mandiant; Tristan Bennett, Seamless Intelligence

Version: 1.2

Created: 03 August 2022

Last Modified: 14 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	❌
时空释痕	❌

特征伪装

攻击者通过证书模板滥用伪造和证书签名欺骗等方法，实现窃取或伪造符合标准的数字证书，在颁发机构、有效期、密钥用法等字段完全模仿合法证书，使得伪造凭证在协议层面与正常证书无特征差异。例如黄金证书具备合法CA签名和标准扩展字段，可完美通过证书链验证。

Procedure Examples

ID	Name	Description
S0677	AADInternals	AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.^[1]
G0016	APT29	APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.^[2]
S0002	Mimikatz	Mimikatz's `CRYPTO` module can create and export various types of authentication certificates.^[3]

Mitigations

ID	Mitigation	Description
M1015	Active Directory Configuration	Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes. For example, consider disabling the usage of AD CS certificate SANs within relevant authentication protocol settings to enforce strict user mappings and prevent certificates from authenticating as other identifies.^[4] Also consider enforcing CA Certificate Manager approval for the templates that include SAN as an issuance requirement.
M1047	Audit	Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (`certsrv.msc`). `certutil.exe` can also be used to examine various information within an AD CS CA database.^[4]^[5]^[6]
M1042	Disable or Remove Feature or Program	Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.^[4]
M1041	Encrypt Sensitive Information	Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection forAuthentication.^[4]

Detection

ID	Data Source	Data Component	Detects
DS0026	Active Directory	Active Directory Credential Request	Monitor AD CS certificate requests (ex: EID 4886) as well as issued certificates (ex: EID 4887) for abnormal activity, including unexpected certificate enrollments and signs of abuse within certificate attributes (such as abusable EKUs).^[4]
		Active Directory Object Modification	Monitor for changes to CA attributes and settings, such as AD CS certificate template modifications (ex: EID 4899/4900 once a potentially malicious certificate is enrolled).^[4]
DS0015	Application Log	Application Log Content	Ensure CA audit logs are enabled and monitor these services for signs of abuse.^[4]
DS0017	Command	Command Execution	Monitor for the execution of commands and other utilities abused to forge and/or steal certificates and related private keys.^[4]
DS0022	File	File Access	Monitor for attempts to access files that store information about certificates and their associated private keys. For example, personal certificates for users may be stored on disk in folders such as `%APPDATA%\Microsoft\SystemCertificates\My\Certificates\`.^[4]^[7]
DS0028	Logon Session	Logon Session Creation	Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (`Schannel`, associated with SSL/TLS) is highlighted as the `Logon Process` associated with an EID 4624 logon event.^[4]
DS0024	Windows Registry	Windows Registry Key Access	Monitor for attempts to access information stored in the Registry about certificates and their associated private keys. For example, user certificates are commonly stored under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates`.^[4]^[7]