detection.wiki

ATT&CK coverage › Technique

Steal or Forge Authentication Certificates T1649

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Security-Auditing4662An operation was performed on an object.
Security-Auditing4768A Kerberos authentication ticket (TGT) was requested.
Security-Auditing4876Certificate Services backup started.
Security-Auditing4886Certificate Services received a certificate request.
Security-Auditing4887Certificate Services approved a certificate request and issued a certificate.
CAPI270For more details for this event, please refer to the "Details" section
CertificateServicesClient-Lifecycle-System1007A certificate has been exported.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 17 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID10eq 9, in 14104, 4887, 4886, 1007, 4768
ScriptBlockText3eq 3, in 1"*req *", "*auth *", "*find *", "*export-certificate*", "*export-pfxcertificate*"
CommandLine2match 2.exe find , .exe pkiobjects , /altname:, forge , -bloodhound
Image2ends_with 2\Certify.exe, \Certipy.exe
OriginalFileName2eq 2Certify.exe, Certipy.exe
Description2match 2Certify, Certipy
file_name2in 2"*_certipy.txt", "*_certipy.zip", "*_certipy.json", "*dh.ec.p8k", "*sign.rsa.pvk"
Attributes2eq 2"*SAN:*upn*", "*CertificateTemplate:*"
Properties1match 1b7ff5a38-0818-42b0-8110-d3d154c97f24, 612cb747-c0e8-4f92-9221-fdd5f15b550d, b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7
CertThumbprint1eq 1*

Top indicator values (82 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq41043108
Attributeseq"*CertificateTemplate:*"22
Attributeseq"*SAN:*upn*"22
EventIDeq48872
Propertiesmatch612cb747-c0e8-4f92-9221-fdd5f15b550d1
Propertiesmatchb7ff5a38-0818-42b0-8110-d3d154c97f241
Propertiesmatchb3f93023-9239-4f7c-b99c-6745d87adbc21
Propertiesmatchb8dfa744-31dc-4ef1-ac7c-84baf7ef9da71
CommandLinematch /path:1
CommandLinematch.exe cas 1
CommandLinematch.exe request 1
CommandLinematch /template:1
CommandLinematch /altname:1
Imageends_with\Certify.exe12
CommandLinematch.exe download 1
OriginalFileNameeqCertify.exe1
CommandLinematch /domain:1
CommandLinematch.exe find 1
DescriptionmatchCertify1
CommandLinematch /vulnerable1

Common exclusions (3 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
AccessMaskin0x01
SubjectUserSideqS-1-5-181
AccessMaskin0x1001

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 1 rule

Splunk 12 rules