title: Steal or Forge Authentication Certificates (T1649)
id: df00tech-t1649
status: experimental
description: "This detection identifies adversary attempts to steal or forge authentication certificates from Windows certificate stores, Active Directory Certificate Services (AD CS) infrastructure, or via crypto APIs. Key behaviors include use of certutil.exe with export flags, Mimikatz crypto module commands (crypto::certificates, crypto::capi), known AD CS abuse tools (Certify, Certipy), suspicious certificate file creation (.pfx/.p12), anomalous certificate enrollment or template modification events (Security EventIDs 4886, 4887, 4899, 4900), and process access to certificate material in LSASS or DPAPI-protected storage. Successful certificate theft enables persistent authentication as valid accounts and lateral movement without requiring password knowledge."
references:
  - https://attack.mitre.org/techniques/T1649/
  - https://df00tech.com/detections/T1649
author: df00tech
date: 2026/03/20
tags:
  - attack.t1649
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate PKI administrators exporting certificates for backup or migration using certutil.exe with -exportPFX
  - Web server or application administrators renewing SSL/TLS certificates and exporting as PFX for IIS or other services
  - "Enterprise MDM/endpoint management tools (Intune, SCCM) that programmatically request or renew device certificates via certreq.exe"
  - "Security operations tooling (vulnerability scanners, certificate inventory tools) that enumerate certificate templates or stores"
  - Developers testing code-signing workflows who export self-signed certificates in PFX format to non-standard directories
level: high