Active Directory Golden Certificate

Golden Certificate, Active Directory It is a persistence technique built on top of a Certificate Services (AD CS) breach.

What is Golden Certificate?

When malicious actors gain administrative access to an Active Directory Certificate Services (CA), they can extract a CA certificate and private key. Once obtained, this information can be used to create valid certificates to impersonate other user objects within the domain. The CA certificate and private key from the root or subordinate certificate authority can be obtained using built-in administrative tools designed for backup purposes or open source tools such as Mimikatz, Seatbelt, and SharpDPAPI. Mimikatz can also be used to generate a new certificate, and ForgeCert can be used for this purpose. Certificates created with these tools are signed by the private keys of the extracted CA certificate and can be used within the domain. Certificates remain valid until they are revoked; if they are not revoked regularly, permanently valid certificates can result, allowing malicious actors to maintain a constant presence in the network.

Golden Certificate Mitigation

Golden Certificate It is necessary to secure both root and subordinate certificate authorities to mitigate a compromise attack. Because of their critical role, CAs should be secured like other critical servers, such as a Domain Controller. This means minimizing the number of user objects that have access to CAs, using CAs only for AD CS, and monitoring CAs for signs of compromise.

Golden CertificateSecurity measures to be taken against a:

  • Çok Faktörlü Kimlik Doğrulama (MFA): Use MFA to authenticate privileged users of systems. MFA can prevent the extraction of a CA certificate and private key, preventing malicious actors from gaining access to a CA using stolen credentials.
  • Application Control Application: An effective application control configuration on CAs prevents malicious executables like Mimikatz from running.
  • Using a Hardware Security Module (HSM): Use HSM to protect key material for CAs. When using an HSM, the private key for CAs cannot be backed up and exported by malicious actors.
  • Limiting Access to AD CS CAs: Only grant access to AD CS CAs to privileged users who require access. This can be fewer users than the Domain Admins security group and reduces the chance of malicious actors gaining access to a CA.
  • Limiting Privileged Access Paths to AD CS CA Servers: Limit privileged access paths to AD CS CA servers via bypass servers and secure admin workstations where only required ports and services are used. AD CS servers are classified as 'Tier 0' entities within Microsoft's 'Enterprise Access Model'.
  • Using AD CS CA Servers Only for AD CS: Do not install any non-security services or applications. This reduces the attack surface of AD CS CA servers because fewer services, ports, and applications can be used to compromise an AD CS CA server.

Golden Certificatee Detection

Golden Certificatee is difficult to detect because it requires detecting the initial backup and export of a CA certificate and private key. AD CS CAs can be configured to enable audit logging of certain events; however, visibility into CA certificate backups remains difficult.

How to Configure AD CS CA Event Auditing?

AD CS CA event auditing is not enabled by default. To configure audit logging for AD CS CAs:

  • For CAs under Group Policy for Certificate Services 'Audit object access' Enable this option. This is under Security Policy 'Advanced Audit Policy Configuration' can be found in .
  • In the Auditing tab in CA properties, click ''Backup and restore the CA databaseEnable the ' option as events to audit.

Event 4876 is triggered when a full backup of the CA database is requested. This occurs when the 'Certificate database and certificate database log' option is selected in the backup wizard. If only the 'Public Key and CA certificate' option is selected, this event will not be generated. Therefore, this event cannot be relied upon to detect all backup attempts.

Windows CAPI2 logs can capture certificate export events. This logging must be enabled in Event Viewer on CAs. When enabled, any backup of a CA certificate and private key will generate event 70 labeled 'Acquire Certificate Private Key'.

Golden Certificate Detecting Event IDs

Event IDKaynakDESCRIPTION
70CAPI2 logs on the root
and subordinate CAs
-
CAPI2 logs on root and subordinate CAs
This event is generated when a certificate is exported. This event should be filtered to check if the 'subjectName' field matches a CA certificate.
1102Root and subordinate
CAs
-
Root and subordinate CAs
This event is generated when the 'Security' audit log is cleared. In order to avoid detection, malicious actors may clear this audit log to eliminate evidence of their activities. Analyzing this event can help determine if an AD CS CA has been compromised.
4103Root and subordinate
CAs – Root and subordinate CAs
This event is generated when PowerShell is executed and logs pipeline execution details. Common tools such as Certutil and Mimikatz use PowerShell. Analysis of this event may point to a Gold Certificate for the PowerShell execution associated with these tools.
4104Root and subordinate
CAs – Root and subordinate CAs
This event is generated when code is executed to capture PowerShell commands and scripts. Common tools such as Certutil and Mimikatz use PowerShell. Analysis of this event may indicate a Gold Certification for the PowerShell execution associated with these tools.
4876Root and subordinate
CAs – Root and subordinate CAs
This event is triggered when a backup of the CA database is initiated. This does not return any logs for the export of the private key, but can be an indicator of other potentially suspicious activity occurring on a CA.

The detection and analysis of these events is a Golden CertificateIn addition to identifying the presence of .e, they can serve as early warning signs of a potential AD CS CA breach.


Similar Articles – Active Directory Golden Certificate

Comment