Steal or Forge Authentication Certificates (T1649)

Steal or Forge Authentication Certificates [T1649]

Information

Name: Steal or Forge Authentication Certificates
ID: T1649
Tactics:

Introduction

Stealing or forging authentication certificates (MITRE ATT&CK ID: T1649) refers to adversaries acquiring or creating digital certificates to impersonate legitimate entities, enabling them to bypass security controls, establish trust, and conceal malicious activities. Certificates are extensively used in authentication, encryption, and integrity verification; thus, compromising them poses significant risks. Within the MITRE ATT&CK framework, this technique falls under the Credential Access tactic, highlighting its role in enabling unauthorized access and persistence within target environments.

Deep Dive Into Technique

Attackers leverage stolen or forged authentication certificates primarily to masquerade as legitimate entities, bypass security protocols, or intercept encrypted communications. The process involves the following methods and mechanisms:

Stealing Valid Certificates:
- Attackers compromise certificate authorities (CAs) or intermediate authorities to directly issue fraudulent certificates.
- Extraction of certificates from compromised endpoints or servers using credential dumping tools, malware, or manual exfiltration.
- Exploiting misconfigured servers or applications that expose certificates unintentionally.
- Leveraging phishing or social engineering to trick administrators into sharing certificate data or access credentials.
Forging Certificates:
- Generation of self-signed certificates designed to mimic legitimate entities, exploiting weak verification processes.
- Utilizing publicly available tools like OpenSSL, Mimikatz, or custom scripts to create fraudulent certificates.
- Exploiting vulnerabilities in cryptographic libraries or certificate issuance processes to bypass validation checks.
Real-world Procedures:
- Attackers deploying compromised certificates in man-in-the-middle (MITM) attacks to intercept encrypted traffic.
- Malware leveraging stolen certificates to evade detection by endpoint protection solutions and network monitoring tools.
- Advanced Persistent Threat (APT) groups using forged certificates to authenticate malicious binaries or scripts, facilitating persistence and lateral movement.

When this Technique is Usually Used

Attackers typically employ this technique across multiple stages and scenarios within the cyberattack lifecycle, including:

Initial Access and Reconnaissance:
- Phishing attacks leveraging stolen certificates to appear trustworthy and bypass email security gateways.
- MITM attacks during reconnaissance to intercept and decrypt sensitive communications.
Privilege Escalation and Credential Access:
- Using compromised certificates to gain unauthorized access to sensitive systems or privileged accounts.
- Leveraging certificates to authenticate as legitimate services, bypassing multi-factor authentication (MFA) and other identity verification mechanisms.
Persistence and Defense Evasion:
- Digitally signing malicious binaries or scripts with stolen certificates to evade endpoint detection and response (EDR) solutions.
- Establishing persistent footholds by embedding compromised certificates in trusted certificate stores.
Lateral Movement and Command and Control (C2):
- Employing certificates to authenticate malicious traffic, enabling attackers to move laterally through secured network segments.
- Establishing encrypted C2 channels using stolen certificates to evade network monitoring and intrusion detection systems (IDS).

How this Technique is Usually Detected

Detection of stolen or forged authentication certificates involves proactive monitoring, robust auditing, and specific security tooling:

Monitoring and Auditing:
- Continuous monitoring of certificate issuance and usage logs for anomalies or unexpected certificate requests.
- Auditing certificate transparency logs, Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) responses for suspicious certificates.
- Reviewing network traffic for unusual certificate usage patterns, such as certificates being used from unknown IP addresses or unusual geographic locations.
Endpoint Detection and Response (EDR) and Antivirus Solutions:
- Detection of malicious binaries signed with suspicious or revoked certificates.
- Identifying the presence of tools like Mimikatz or OpenSSL on endpoints that could indicate certificate theft or forgery activities.
Network Security Tools:
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS) detecting anomalous encrypted sessions or MITM attempts.
- SSL/TLS inspection tools identifying certificates with invalid or suspicious signatures, expired certificates, or self-signed certificates attempting to mimic legitimate entities.
Specific Indicators of Compromise (IoCs):
- Unexpected or unauthorized certificate issuance events logged by certificate authorities.
- Presence of certificates issued from unknown or suspicious CAs.
- Detection of certificates with abnormal attributes, such as mismatched issuer fields, unusual validity periods, or suspicious domain names.
- Known revoked certificates observed being actively used in authentication or encryption processes.

Why it is Important to Detect This Technique

Early detection of stolen or forged authentication certificates is crucial due to the severe impacts and risks associated with their misuse:

Security Risks:
- Enables attackers to bypass authentication mechanisms, gaining unauthorized access to critical systems and data.
- Facilitates interception of encrypted communications, leading to potential exposure of sensitive information.
Operational Impacts:
- Compromise of trusted certificates can disrupt legitimate business operations, requiring costly remediation efforts.
- Damage to organizational reputation and loss of customer trust due to breaches involving compromised certificates.
Compliance and Regulatory Consequences:
- Breaching regulatory standards (such as GDPR, PCI DSS, HIPAA) due to unauthorized access or data leakage.
- Potential legal liabilities and fines resulting from the misuse of authentication certificates.
Defense Evasion and Persistence:
- Attackers leveraging compromised certificates to evade detection by endpoint and network security solutions.
- Establishment of persistent footholds within networks, complicating remediation and incident response efforts.

Examples

Real-world instances of stolen or forged authentication certificates demonstrate the severity and prevalence of this technique:

Stuxnet (2010):
- Attackers utilized stolen digital certificates from reputable companies (Realtek Semiconductor and JMicron Technology) to digitally sign malicious drivers.
- This allowed Stuxnet malware to evade security mechanisms and infect industrial control systems (ICS), particularly targeting Iranian nuclear facilities.
Flame Malware (2012):
- Flame malware leveraged forged Microsoft certificates to impersonate Windows Update services.
- This enabled attackers to perform MITM attacks, intercept communications, and propagate malware undetected across targeted networks.
APT41 Campaigns (2017-2020):
- Chinese threat actor APT41 used stolen code-signing certificates to digitally sign malware payloads, evading antivirus and endpoint detection tools.
- Targeted multiple industries globally, including healthcare, gaming, and telecommunications, enabling persistent access and espionage operations.
ShadowHammer Attack (ASUS Supply Chain Attack, 2019):
- Attackers compromised ASUS's legitimate digital certificate to sign malicious software updates.
- Approximately one million ASUS users downloaded the compromised updates, demonstrating significant supply chain compromise and widespread impact.
SolarWinds Supply Chain Attack (2020):
- Attackers leveraged compromised digital certificates to sign malicious updates for SolarWinds Orion software.
- Allowed attackers to maintain stealthy persistence, evade detection, and compromise numerous high-profile organizations, including U.S. federal agencies and Fortune 500 companies.

These real-world examples highlight the critical importance of detecting and mitigating the theft or forgery of authentication certificates to prevent severe security incidents and operational disruptions.

Last updated 5 hours ago

Introduction

Deep Dive Into Technique

Stealing Valid Certificates:

Attackers compromise certificate authorities (CAs) or intermediate authorities to directly issue fraudulent certificates.
Extraction of certificates from compromised endpoints or servers using credential dumping tools, malware, or manual exfiltration.
Exploiting misconfigured servers or applications that expose certificates unintentionally.
Leveraging phishing or social engineering to trick administrators into sharing certificate data or access credentials.

Forging Certificates:

Generation of self-signed certificates designed to mimic legitimate entities, exploiting weak verification processes.
Utilizing publicly available tools like OpenSSL, Mimikatz, or custom scripts to create fraudulent certificates.
Exploiting vulnerabilities in cryptographic libraries or certificate issuance processes to bypass validation checks.

Real-world Procedures:

Attackers deploying compromised certificates in man-in-the-middle (MITM) attacks to intercept encrypted traffic.
Malware leveraging stolen certificates to evade detection by endpoint protection solutions and network monitoring tools.
Advanced Persistent Threat (APT) groups using forged certificates to authenticate malicious binaries or scripts, facilitating persistence and lateral movement.

When this Technique is Usually Used

Attackers typically employ this technique across multiple stages and scenarios within the cyberattack lifecycle, including:

Initial Access and Reconnaissance:

Phishing attacks leveraging stolen certificates to appear trustworthy and bypass email security gateways.
MITM attacks during reconnaissance to intercept and decrypt sensitive communications.

Privilege Escalation and Credential Access:

Using compromised certificates to gain unauthorized access to sensitive systems or privileged accounts.
Leveraging certificates to authenticate as legitimate services, bypassing multi-factor authentication (MFA) and other identity verification mechanisms.

Persistence and Defense Evasion:

Digitally signing malicious binaries or scripts with stolen certificates to evade endpoint detection and response (EDR) solutions.
Establishing persistent footholds by embedding compromised certificates in trusted certificate stores.

Lateral Movement and Command and Control (C2):

Employing certificates to authenticate malicious traffic, enabling attackers to move laterally through secured network segments.
Establishing encrypted C2 channels using stolen certificates to evade network monitoring and intrusion detection systems (IDS).

How this Technique is Usually Detected

Detection of stolen or forged authentication certificates involves proactive monitoring, robust auditing, and specific security tooling:

Monitoring and Auditing:

Continuous monitoring of certificate issuance and usage logs for anomalies or unexpected certificate requests.
Auditing certificate transparency logs, Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) responses for suspicious certificates.
Reviewing network traffic for unusual certificate usage patterns, such as certificates being used from unknown IP addresses or unusual geographic locations.

Endpoint Detection and Response (EDR) and Antivirus Solutions:

Detection of malicious binaries signed with suspicious or revoked certificates.
Identifying the presence of tools like Mimikatz or OpenSSL on endpoints that could indicate certificate theft or forgery activities.

Network Security Tools:

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) detecting anomalous encrypted sessions or MITM attempts.
SSL/TLS inspection tools identifying certificates with invalid or suspicious signatures, expired certificates, or self-signed certificates attempting to mimic legitimate entities.

Specific Indicators of Compromise (IoCs):

Unexpected or unauthorized certificate issuance events logged by certificate authorities.
Presence of certificates issued from unknown or suspicious CAs.
Detection of certificates with abnormal attributes, such as mismatched issuer fields, unusual validity periods, or suspicious domain names.
Known revoked certificates observed being actively used in authentication or encryption processes.

Why it is Important to Detect This Technique

Early detection of stolen or forged authentication certificates is crucial due to the severe impacts and risks associated with their misuse:

Security Risks:

Enables attackers to bypass authentication mechanisms, gaining unauthorized access to critical systems and data.
Facilitates interception of encrypted communications, leading to potential exposure of sensitive information.

Operational Impacts:

Compromise of trusted certificates can disrupt legitimate business operations, requiring costly remediation efforts.
Damage to organizational reputation and loss of customer trust due to breaches involving compromised certificates.

Compliance and Regulatory Consequences:

Breaching regulatory standards (such as GDPR, PCI DSS, HIPAA) due to unauthorized access or data leakage.
Potential legal liabilities and fines resulting from the misuse of authentication certificates.

Defense Evasion and Persistence:

Attackers leveraging compromised certificates to evade detection by endpoint and network security solutions.
Establishment of persistent footholds within networks, complicating remediation and incident response efforts.

Examples

Real-world instances of stolen or forged authentication certificates demonstrate the severity and prevalence of this technique:

Stuxnet (2010):

Attackers utilized stolen digital certificates from reputable companies (Realtek Semiconductor and JMicron Technology) to digitally sign malicious drivers.
This allowed Stuxnet malware to evade security mechanisms and infect industrial control systems (ICS), particularly targeting Iranian nuclear facilities.

Flame Malware (2012):

Flame malware leveraged forged Microsoft certificates to impersonate Windows Update services.
This enabled attackers to perform MITM attacks, intercept communications, and propagate malware undetected across targeted networks.

APT41 Campaigns (2017-2020):

Chinese threat actor APT41 used stolen code-signing certificates to digitally sign malware payloads, evading antivirus and endpoint detection tools.
Targeted multiple industries globally, including healthcare, gaming, and telecommunications, enabling persistent access and espionage operations.

ShadowHammer Attack (ASUS Supply Chain Attack, 2019):

Attackers compromised ASUS's legitimate digital certificate to sign malicious software updates.
Approximately one million ASUS users downloaded the compromised updates, demonstrating significant supply chain compromise and widespread impact.

SolarWinds Supply Chain Attack (2020):

Attackers leveraged compromised digital certificates to sign malicious updates for SolarWinds Orion software.
Allowed attackers to maintain stealthy persistence, evade detection, and compromise numerous high-profile organizations, including U.S. federal agencies and Fortune 500 companies.