Skip to content

DET0240 Detection Strategy for Steal or Forge Authentication Certificates

Item Value
ID DET0240
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1649 (Steal or Forge Authentication Certificates)

Analytics

Windows

AN0671

Monitor for abnormal certificate enrollment and usage activity in Active Directory Certificate Services (AD CS), registry access to certificate storage locations, and unusual process executions that attempt to export or access private keys.

Log Sources
Data Component Name Channel
Active Directory Credential Request (DC0084) WinEventLog:Security EventCode=4768
Windows Registry Key Access (DC0050) WinEventLog:Security EventCode=4657
Mutable Elements
Field Description
EKU_Thresholds Organizations may tune which Extended Key Usage (EKU) values are considered risky.
TimeWindow Defines how quickly multiple certificate enrollments from the same entity should trigger correlation alerts.
LogonContext Differentiate between service accounts and interactive user accounts to reduce false positives.

Linux

AN0672

Monitor for file access to certificate directories, commands invoking OpenSSL or PKCS#12 utilities to export or modify certificates, and processes accessing sensitive key storage paths.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/
Command Execution (DC0064) auditd:SYSCALL execve: openssl pkcs12, certutil, keytool
Mutable Elements
Field Description
PathExclusions Exempt trusted automated services regularly accessing PKI stores.
UserContext Differentiate root/system accounts versus user-level access to key material.

macOS

AN0673

Monitor for security commands and API calls interacting with the Keychain, as well as file access attempts to stored certificates and private keys in ~/Library/Keychains or /Library/Keychains.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog process calling security find-certificate, export, or import
File Access (DC0055) macos:keychain ~/Library/Keychains, /Library/Keychains
Mutable Elements
Field Description
ApplicationAllowList Whitelist legitimate apps that interact with Keychain to reduce false positives.

Identity Provider

AN0674

Monitor for abnormal certificate enrollment events in identity platforms, unexpected use of token-signing certificates, and unusual CA configuration modifications.

Log Sources
Data Component Name Channel
Active Directory Object Modification (DC0066) azure:signinlogs Add certificate credential, Update certificate credential
Application Log Content (DC0038) m365:unified certificate added or modified in application credentials
Mutable Elements
Field Description
GeoContext Detect certificate-related changes occurring from unusual geographic locations.
Thresholds Adjust enrollment/issuance request volume thresholds per tenant size.