Home/ MITRE Matrix/ Credential Access/ T1649

T1649Steal or Forge Authentication Certificates

T1649 — Steal or Forge Authentication Certificates is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 22 detection use cases covering it and 5 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

22Use cases

5Articles

0Sub-techniques

1Tactic

Use cases covering this technique (22)

Certutil exe certificate extraction ESCU actions · alerting P Detect Certify Command Line Arguments ESCU actions · alerting P Detect Certify With PowerShell Script Block Logging ESCU actions · alerting P Detect Certipy File Modifications ESCU actions · alerting P Steal or Forge Authentication Certificates Behavior Identified ESCU actions · alerting P Windows Export Certificate ESCU actions · hunting P Windows Mimikatz Crypto Export File Extensions ESCU actions · hunting P Windows PowerShell Export Certificate ESCU actions · hunting P Windows PowerShell Export PfxCertificate ESCU actions · hunting P Windows Steal Authentication Certificates - ESC1 Abuse ESCU actions · alerting P Windows Steal Authentication Certificates - ESC1 Authentication ESCU actions · alerting P Windows Steal Authentication Certificates Certificate Issued ESCU actions · hunting P Windows Steal Authentication Certificates Certificate Request ESCU actions · hunting P Windows Steal Authentication Certificates CertUtil Backup ESCU actions · hunting P Windows Steal Authentication Certificates CryptoAPI ESCU actions · hunting P Windows Steal Authentication Certificates CS Backup ESCU actions · hunting P Windows Steal Authentication Certificates Export Certificate ESCU actions · hunting P Windows Steal Authentication Certificates Export PfxCertificate ESCU actions · hunting P [LLM] CVE-2022-26923 exploitation via update6.exe binary execution Bespoke exploit · alerting DSΣPDDCS [LLM] AD CS attacker tooling execution: Certify, Certipy, Whisker process indicators Bespoke install · alerting DSΣPDDCS [LLM] PKINIT Kerberos TGT request via certificate authentication anomaly Bespoke actions · hunting DSPDDCS [LLM] AD CS certificate request with ENROLLEE_SUPPLIES_SUBJECT flag (ESC1) Bespoke exploit · hunting DSPDDCS

Articles citing this technique (5)

crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237

high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316