Skip to content

RP0004: Pass the certificate

Summary

ID RP0004
Brief Description Response playbook for pass the certificate attack
Author @ERMACK_COMMUNITY
Creation Date 2023/05/11
Modification Date 2023/05/27
Tags
  • Status: Stable
  • Severity:High
Usecases

Description

Attackers can use pass the certificate attack with certificate which they created themselves (Golden Certificate or Shadow Credentials) or with a stolen certificate. Certificate created by attackers cannot be revoked

Workflow

WORKFLOW

  1. On identification stage need find domain account which was attacked and host from which attack occur. This information can be taken from Windows Security event log 4768 - A Kerberos authentication ticket (TGT) was requested
  2. On containment stage, when you found an account that was attacked lock this account and go to compromised active directory account response playbook
  3. On containment stage, when you found the host from which attack occur go to windows host compromised response playbook
  4. On eradication stage, if certificate has been stolen (this means certificate authority known this certificate) revoke that certificate
  5. On recovery stage, unlock previously locked account and reissue revoked previously certificate
  6. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time

Response discovery mapping

ARTIFACT RESPONSE ACTION RESPONSE ACTION OBSERVABLES
Domain account Find account to which TGT was requested. The name of this account will be in the account information section of the event log Attacked domain account
Log Find Windows Security event log 4768 - A Kerberos authentication ticket (TGT) was requested Event log with info about requesting user, requesting IP Address and certificate
Host Find host from which TGT was requested. The IP Address of this host will be in the network information section of the event log Host from which the attack is occur
IP Address Find IP Address from which TGT was requested. The IP Address will be in the network information section of the event log IP Address from which the attack is occur

Playbook Actions

Preparation

Operational Preparations
Get Ability To Lock User Account
Preparing to block user account via Powershell

Identification

Identify affected systems and users

Containment

Compromised active directory account
Windows host compromise

Eradication

Revoke Certificate

Recovery

Reissue Revoked Certificate

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

Artifacts