HackTool - Certify Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - Certify Execution | Standard | Windows | Credential Access: Steal or Forge Authentication Certificates (T1649) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects suspicious enumeration or certificate requests against Active Directory Certificate Services (AD CS) using the Certify tool, which attackers often leverage to identify vulnerable certificate templates and escalate privileges.
Severity
Trouble
Rule journey
Attack chain scenario
Discovery → AD CS Enumeration with Certify.exe → Abuse of Certificate Templates → Credential Access via Forged Certificates
Impact
If successful, the attacker can exploit misconfigured Active Directory Certificate Services (AD CS) to escalate privileges, impersonate domain users or administrators, and gain persistent access to critical systems. This can lead to complete domain compromise, data exfiltration, and long-term unauthorized access using forged certificates.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a Domain Controller with domain admin credentials.
- Open Group Policy Management Console (gpmc.msc).
- Edit or create a GPO linked to the target OU.
- Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking- Enable Audit Process Creation (Success)
- Enable Audit Process Termination (Success)
- Navigate to:
Computer Configuration > Administrative Templates > System > Audit Process Creation- Enable Include command line in process creation events
- Ensure the registry key exists:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals.
- Open Command Prompt as administrator.
- Use or create a Sysmon config file that monitors process creation.
- Install Sysmon using: sysmon.exe -i [configfile.xml]
- Example config entry: <ProcessCreate onmatch="exclude"/>
- Ensure the registry key exists:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\Certify.exe" OR ORIGINALFILENAME = "Certify.exe" OR MESSAGE contains "Certify") OR (COMMANDLINE contains ".exe cas ,.exe find ,.exe pkiobjects ,.exe request ,.exe download " AND COMMANDLINE contains " /vulnerable, /template:, /altname:, /domain:, /path:, /ca:") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Execution: Exploitation for Client Execution (T1203)
Security Standards
NIST SP 800-53: SI-4, AU-12
ISO/IEC 27001: A.12.4.1
Author
pH-T (Nextron Systems)
Future actions
Known False Positives
Legitimate administrative use of Certify during AD CS troubleshooting
Next Steps
- Review the process creation logs from domain controllers.
- Investigate the command line input for suspicious keywords.
- Correlate with user behavior and lateral movement attempts.
- If activity is confirmed malicious, terminate the process and isolate the host.
- Update detection rules or threat intel if needed.
Mitigation
Mitigation ID | Mitigation Name | Description |
M1015 | Active Directory Configuration | Secure CA servers as tier 0 assets. Disable use of SANs in templates to prevent spoofing, and require CA Certificate Manager approval for SAN-based templates. |
M1047 | Audit | Audit and remove unused auth certificates. Fix misconfigurations in CA permissions and templates using tools like certsrv.msc and certutil.exe. |
M1042 | Disable or Remove Feature or Program | Disable legacy protocols like NTLM and remove unnecessary AD CS web/enrollment roles. |
M1041 | Encrypt Sensitive Information | Protect certificates and private keys using TPM or HSM. Enforce HTTPS and enable Extended Protection for Authentication. |
-
