Steal or Forge Authentication Certificates (T1649)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Steal or Forge Authentication Certificates

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
HarmJ0y. (2018, August 22). SharpDPAPI - Certificates. Retrieved August 2, 2022. GitHub GhostPack Certificates
Microsoft. (2016, August 31). Active Directory Certificate Services Overview. Retrieved August 2, 2022. Microsoft AD CS Overview
Schroeder, W. (2021, June 17). Certified Pre-Owned. Retrieved August 2, 2022. Medium Certified Pre Owned
Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. SpecterOps Certified Pre Owned
Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022. O365 Blog Azure AD Device IDs
TheWover. (2021, April 21). CertStealer. Retrieved August 2, 2022. GitHub CertStealer
Thibault Van Geluwe De Berlaere. (2022, November 8). They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming. Retrieved November 9, 2022. APT29 Deep Look at Credential Roaming