Skip to content

T1649 Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.52

Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)7, misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.461 With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.3

Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate’s validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.

Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish Persistence by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).3 Adversaries may also target certificates and related services in order to access other forms of credentials, such as Golden Ticket ticket-granting tickets (TGT) or NTLM plaintext.3

Item Value
ID T1649
Tactics TA0006
Platforms Azure AD, Linux, Windows, macOS
Version 1.1
Created 03 August 2022
Last Modified 02 March 2023

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.10
G0016 APT29 APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.12
S0002 Mimikatz Mimikatz‘s CRYPTO module can create and export various types of authentication certificates.11


ID Mitigation Description
M1015 Active Directory Configuration Ensure certificate authorities (CA) are properly secured, including treating CA servers (and other resources hosting CA certificates) as tier 0 assets. Harden abusable CA settings and attributes.
M1047 Audit Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (certsrv.msc). certutil.exe can also be used to examine various information within an AD CS CA database.489
M1042 Disable or Remove Feature or Program Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.4
M1041 Encrypt Sensitive Information Ensure certificates as well as associated private keys are appropriately secured. Consider utilizing additional hardware credential protections such as trusted platform modules (TPM) or hardware security modules (HSM). Enforce HTTPS and enable Extended Protection for


ID Data Source Data Component
DS0026 Active Directory Active Directory Credential Request
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Access
DS0028 Logon Session Logon Session Creation
DS0024 Windows Registry Windows Registry Key Access