This note documents detection patterns related to Golden Certificate within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Critical | Indicates a certificate was issued by ADCS. Review Requester, CertificateTemplate, and Subject fields for abnormal issuances. |
| Security | 4887 | Certificate request approved | High | May indicate manual approval of suspicious certificate requests. |
| Security | 4768 | Kerberos TGT request | Critical | Golden Certificate attacks ultimately generate Kerberos TGTs using forged certificates via PKINIT. |
| Security | 4624 | Successful logon | High | Logons using certificate authentication may appear following forged certificate use. |
| Security | 4672 | Special privileges assigned | High | Privileged session established after certificate-based authentication. |
| Sysmon | 1 | Process creation | Medium | Execution of tools such as Certipy, Rubeus, or ForgeCert used to generate or abuse certificates. |
| Sysmon | 3 | Network connection | Medium | Connections from attacker host to ADCS server or domain controller during certificate abuse. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected certificate issuance | Certificates issued for privileged accounts such as Domain Admins | Critical | Often indicates certificate abuse. |
| Certificate authentication where normally unused | Users authenticating via certificate instead of Kerberos password | High | Golden Certificate attacks leverage PKINIT authentication. |
| ADCS access from unusual hosts | Certificate enrollment from workstations not normally interacting with CA | High | Potential attacker-controlled system requesting certificates. |
| Sudden privilege escalation after certificate issuance | Privileged actions performed shortly after certificate authentication | Critical | Indicates attacker leveraging certificate-based authentication. |
| Presence of ADCS exploitation tools | Execution of Certipy or ForgeCert binaries | High | Direct evidence of certificate abuse attempts. |
Common Tools
| Tool | Usage |
|---|---|
| Certipy | Used to request, forge, and abuse ADCS certificates. |
| ForgeCert | Tool used to create forged certificates using compromised CA private keys. |
| Rubeus | Used to request Kerberos tickets via certificate authentication. |
| Impacket | Includes certificate abuse features for PKINIT authentication. |
| Certutil | Built-in Windows utility used for certificate operations. |
Relevant Artifacts
- Domain controller Security logs (4768, 4624, 4672)
- ADCS server logs (4886, 4887)
- Certificate Authority database records
- Sysmon logs (1, 3)
- PKINIT authentication logs
- EDR telemetry identifying certificate abuse tooling
- PowerShell logs if certificate commands executed via scripts
- Prefetch artifacts showing execution of certificate exploitation tools
MITRE ATT&CK References
- T1552 Unsecured Credentials
- T1558 Steal or Forge Kerberos Tickets
- T1550 Use Alternate Authentication Material
- T1649 Steal or Forge Authentication Certificates
Decision Tree
- Is the suspicious event present?
- Identify unusual certificate issuance events (4886).
- What host generated the event?
- Determine whether the request originated from unexpected workstation or service.
- Is the account expected to perform this action?
- Privileged accounts rarely request certificates directly.
- Pivot:
- Source host → inspect execution of certificate abuse tools.
- Account → verify authentication method and privileges.
- Network → inspect PKINIT authentication flows.
- Confirm exploitation
- Determine whether forged certificate was used to request Kerberos tickets.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4886
| project TimeGenerated, SubjectUserName, CertificateTemplate, Requester
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
EQL
any where event.code == "4886"
Sigma
title: Suspicious Certificate Issuance
id: golden-certificate-detection
status: experimental
description: Detects unusual certificate issuance which may indicate Golden Certificate abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4886
condition: selection
fields:
- SubjectUserName
- CertificateTemplate
falsepositives:
- Legitimate certificate enrollment
level: medium
tags:
- attack.credential_access
- attack.t1649
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| CA key protection | Secure Certificate Authority private keys | Critical | Compromise of CA key enables Golden Certificate attacks. |
| Certificate template restrictions | Limit enrollment rights for sensitive templates | High | Reduces risk of abuse. |
| Monitoring | Alert on certificate issuance for privileged accounts | High | Early detection of abuse attempts. |
| ADCS auditing | Enable detailed logging on Certificate Authority servers | High | Provides visibility into certificate operations. |
| Access control | Restrict administrative access to ADCS infrastructure | High | Prevents attackers from manipulating certificate services. |