{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1649/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","t1649","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic identifies potential threats related to the theft or forgery of authentication certificates. It leverages the Splunk Risk data model to detect when five or more analytics from the \u0026ldquo;Windows Certificate Services\u0026rdquo; analytic story trigger within a specified timeframe. This aggregation of risk scores and event counts from multiple detections within the Windows Certificate Services story indicates a potential attack aimed at compromising authentication mechanisms. Attackers could gain unauthorized access to sensitive systems and data, leading to severe security breaches. This detection is designed to identify ongoing attacks, rather than individual certificate-related events, by correlating multiple alerts related to certificate services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise: An attacker gains initial access to a system within the target environment.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker performs reconnaissance on the target network to identify systems running Windows Certificate Services.\u003c/li\u003e\n\u003cli\u003eVulnerability exploitation: The attacker exploits vulnerabilities within the Certificate Services, potentially including stealing or forging certificates.\u003c/li\u003e\n\u003cli\u003eCertificate theft/forgery: The attacker steals existing valid certificates or forges new certificates to impersonate legitimate users or systems.\u003c/li\u003e\n\u003cli\u003eLateral movement: Using the stolen or forged certificates, the attacker moves laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation: The attacker uses the compromised certificates to escalate privileges on the target systems.\u003c/li\u003e\n\u003cli\u003eData access/exfiltration: With elevated privileges, the attacker accesses sensitive data or exfiltrates it from the network.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by maintaining access through the compromised certificates.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to gain unauthorized access to critical systems and sensitive data. The compromise of authentication mechanisms can lead to widespread lateral movement within the network, data breaches, and potential disruption of services. The severity depends on the value of the accessed data and the criticality of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Windows Certificate Services analytic story has 5 or more analytics enabled within Splunk to enable this detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any systems flagged by this alert to determine if certificate theft or forgery has occurred, pivoting off of the \u003ccode\u003erisk_object\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003esteal_or_forge_authentication_certificates_behavior_identified_filter\u003c/code\u003e macro to reduce false positives based on your environment.\u003c/li\u003e\n\u003cli\u003eReview and harden the Windows Certificate Services infrastructure based on the references provided to prevent future attacks targeting certificates.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Splunk search query to detect aggregations of certificate-related risk events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:46:15Z","date_published":"2026-05-28T17:46:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-steal-forge-auth-certs/","summary":"The analytic identifies potential threats related to the theft or forgery of authentication certificates by detecting when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe, indicating an ongoing attack aimed at compromising authentication mechanisms that could grant unauthorized access to sensitive systems and data.","title":"Steal or Forge Authentication Certificates Behavior Identified","url":"https://feed.craftedsignal.io/briefs/2026-05-steal-forge-auth-certs/"}],"language":"en","title":"CraftedSignal Threat Feed — T1649","version":"https://jsonfeed.org/version/1.1"}