New research has highlighted the severe risks posed by forged certificate attacks, which can lead to unauthorized access to important company resources.
These attacks, known as the Shadow Credentials technique, involve attackers exploiting certain parts of a system called Active Directory (AD) that manages user access to various services.
Kaspersky cybersecurity expert Alexander Rodchenko conducted the study, which was published today, and found essential clues to detect these attacks through the company’s managed detection and response (MDR) service. He also developed a tool to uncover suspicious activities within the system and crafted rules to help security systems identify potential attacks.
“Having analyzed the practical experience of our MDR service, I identified several signs of such attacks inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM,” the security expert wrote.
From a technical standpoint, the attackers take advantage of public key cryptography for initial authentication (PKINIT) to access specific system parts without needing the user’s password.
In this context, the attackers use a trusted certificate, which is typically issued by a Certificate Authority (CA) that the system trusts, to deceive the system and obtain a Ticket Granting Ticket (TGT) without needing the user’s password.
The study emphasized the importance of analyzing a specific event that occurs during the attacks, which contains crucial information about the certificates used by the attackers. To simplify this process, Rodchenko suggested using a tool called the ELK stack (Elasticsearch, Logstash, and Kibana), which can help filter out legitimate requests.
“By default, Logstash actually knows how to convert the bit fields of Event 4768 into an array of values specific to a ticket in the list. This also makes the search much faster and smoother,” Rodchenko wrote.
Additionally, the researcher identified a key sign of suspicious activity: the absence of a particular flag in the system. By using specific scripts, Rodchenko was able to identify attacks based on this sign, revealing the activity of attacker tools Whisker and Rubeus.
With the utility developed by Rodchenko, cybersecurity experts can compare legitimate and suspicious attributes in the system, making it easier to detect and respond to these attacks effectively.
The advisory comes months after Asec published a report on a Lazarus Group campaign targeting South Korean finance firms using a zero-day vulnerability in certificate software.