Study Reveals Concerns Over Forged Certificate Attacks

Forged certificate attacks [1] [2] [4], also known as the Shadow Credentials technique [1], pose a significant concern in the field of cybersecurity. This article explores the use of various tools and techniques to detect and respond to such attacks.


Kaspersky cybersecurity expert Alexander Rodchenko offers a managed detection and response (MDR) service that includes a Proof-of-Concept utility called PKINIT [2]. This utility utilizes trusted certificates from a Certificate Authority (CA) to obtain a Ticket Granting Ticket (TGT) in Active Directory [2]. To analyze specific events that may indicate a forged certificate attack, Rodchenko suggests using the ELK stack and has developed a utility to compare legitimate and suspicious attributes in the system.

Elad Shamir’s tool, Whisker [2] [3], can generate a certificate and an asymmetric key [3], storing this information in the msDS-KeyCredentialLink attribute [3]. The generated certificate can be used with Rubeus [3], another cybersecurity tool [2], to request a ticket granting ticket (TGT) and further expand the attack [3]. Whisker provides the Rubeus command for requesting a TGT using certificate-based authentication [3]. The TGT [3], received in base-64 format [3], is cached in memory under the domain controller machine account [3]. The NTLM hash of the computer account is also displayed [3], which can be exploited in pass the hash attacks [3].

Red team operators can utilize the obtained TGT or hash to conduct additional attacks [3], such as dumping active directory hashes using DCSync or regaining access to sensitive hosts by impersonating domain administrator accounts [3]. Kaspersky’s MDR service, along with the tools Whisker and Rubeus, can be employed to detect and respond to forged certificate attacks.

Additionally, a Lazarus Group campaign targeting South Korean finance firms using a zero-day vulnerability in certificate software has been reported [1]. This attack [4], known as DPERSIST1 [4], is described in the “Certified Pre-Owned” whitepaper [4]. The CA’s private key [4], typically protected by hardware or the Data Protection API (DPAPI) [4], can be extracted by attackers who compromise a CA server using tools like Mimikatz or SharpDPAPI. With the stolen key [4], the attacker can forge certificates for domain authentication [4], valid for as long as the CA certificate remains valid [4]. These certificates can be created for any active principal in the domain [4], and the CA is unaware of their existence and cannot revoke them. ForgeCert utilizes BouncyCastle’s X509V3CertificateGenerator for the forgeries [4].


Forged certificate attacks pose a significant threat to cybersecurity. However, with the use of tools like PKINIT, Whisker [2] [3], and Rubeus [2], along with Kaspersky’s MDR service, organizations can detect and respond to such attacks effectively. It is crucial for CA servers to have robust protection measures in place to prevent the compromise of private keys. The ongoing development of new attack techniques, such as DPERSIST1, highlights the need for continuous vigilance and proactive security measures in the face of evolving cyber threats.