Skip to content

RP0005: Theft of user certificate and private key

Summary

ID RP0005
Brief Description Response playbook for "Theft of user certificate and private key" attack
Author @ERMACK_COMMUNITY
Creation Date 2023/05/31
Modification Date 2023/06/06
Tags
  • Status: Stable
  • Severity:High
  • Tlp: Amber
  • Pap: White
  • Windows
Usecases

Description

Attackers can theft certificate and private key to authenticate on behalf of the certificate owner using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension. Successful "Theft of user certificate and private key" attack quite dangerous, because attackers gets credentials alternative to the password

Workflow

WORKFLOW

  1. Identify detected IOCs (tools, commands) used in certificate theft, for find specific artifacts. View the list of created and downloaded files to find stolen certificates or programs used in the attack. Search processes executed with "specific" flags. For example:

    • processes started with args "dump", "exportPFX" or "certificates"
    • process started with well-known flags: crypto::capi, crypto::certificates

  2. Find domain account whose certificate were theft and host where these certificates were stored. If it is not possible to identify which certificates were stolen, consider revoking all certificates that are stored on the compromised host

  3. When you found account whose certificate were theft go to compromised active directory account response playbook
  4. When you found host where these certificates were stored go to windows host compromised response playbook
  5. On recovery stage, reissue revoked previously certificate
  6. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time

Response discovery mapping

ARTIFACT RESPONSE ACTION RESPONSE ACTION OBSERVABLES
Certificate Find file by format
Find .pfx, .cer, .pem and .der files on compromised host.
Thefted certificates
Process Find process by executable content pattern
Find tools used in the attack.
Identified certificate theft tool

Playbook Actions

Preparation

Operational Preparations

Identification

List Files Created
List Files Downloaded
Find File By Format
List Processes Executed
Find Process By Executable Content Pattern
Identify compromised data
Identify affected systems and users
Put Compromised Accounts On Monitoring

Containment

Block Process By Executable Content Pattern
Compromised active directory account
Windows host compromise

Eradication

Revoke Certificate

Recovery

Reissue Revoked Certificate

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

Artifacts