Breaking the Chain: Defending Against Certificate Services Abuse
Tags
attack-pattern: Data Credentials - T1589.001 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Private Keys - T1552.004 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086 Private Keys - T1145
Show in Graph
Common Information
Type Value
UUID c318139f-1787-4b87-9298-7a31bfaaef01
Fingerprint 7c5fe6dd5d3cdb90
Analysis status DONE
Considered CTI value 0
Text language
Published March 23, 2023, 8:03 a.m.
Added to db March 23, 2023, 5:54 p.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Breaking the Chain: Defending Against Certificate Services Abuse
Title Breaking the Chain: Defending Against Certificate Services Abuse
Detected Hints/Tags/Attributes 53/1/27
Source URLs
Redirection Url
Details Source https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
URL Provider
Details Provider Source level domain
Details splunk.com www.splunk.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 375 Splunk Blogs https://www.splunk.com/blog/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 26 
posts.specterops.io
Details Domain 4128 
github.com
Details Domain 7 
specterops.io
Details Domain 1 
bamcisnetworks.wordpress.com
Details Domain 6 
www.thehacker.recipes
Details Email 1 
atomic@art.local
Details File 14 
cryptdll.dll
Details File 83 
crypt32.dll
Details File 478 
lsass.exe
Details File 226 
certutil.exe
Details File 1 
c:\temp\atomic.pfx
Details File 1 
c:\\temp\\certificates\\ or  certutil.exe
Details File 2 
certified_pre-owned.pdf
Details Github username 18 
ghostpack
Details md5 1 
31f5a395749a3fbe4833b2dcc53992f2
Details Microsoft Patch Numbers 6 
KB5005413
Details MITRE ATT&CK Techniques 26 
T1552.004
Details Url 3 
https://posts.specterops.io/certified-pre-owned-d95910965cd2
Details Url 3 
https://github.com/ghostpack/pspkiaudit
Details Url 2 
https://github.com/ghostpack/certify
Details Url 1 
https://specterops.io/wp-content/uploads/sites/3/2022/06/certified_pre-owned.pdf
Details Url 1 
https://bamcisnetworks.wordpress.com/2015/11/18/certutil-powershell-export-import-pfx
Details Url 1 
https://www.thehacker.recipes/ad/movement/ad-cs
Details Url 1 
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-now-detects-suspicious/ba-p/3743335
Details Url 1 
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Details Windows Registry Key 1 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates
Details Windows Registry Key 1 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates