Golden Certificate Attacks in Active Directory Explained and Defended
Golden Certificates are an advanced persistence technique linked to Active Directory Certificate Services (AD CS) compromises. When attackers gain administrative access to a Certificate Authority (CA), they can extract the CA certificate and private key. This extraction enables them to forge valid certificates for client authentication, effectively impersonating any user within the domain.
Tools such as Mimikatz, Seatbelt, and SharpDPAPI facilitate the retrieval of CA certificates and private keys from both root and subordinate CAs, either via built-in backup tools or open-source utilities. Malicious actors can then use Mimikatz or ForgeCert to forge new certificates signed by the stolen CA private key, granting undetectable domain access until those certificates are revoked. Since revocation may not occur promptly, attackers can maintain persistent, perpetual access on the network.
Mitigation Strategies for Golden Certificates in Active Directory
Protecting CAs is critical, and they should be treated with security measures as strict as those for Domain Controllers. To reduce the risk of Golden Certificate attacks, implement the following controls:
- Multi-Factor Authentication (MFA): Enforce MFA for all privileged users accessing CA systems to block unauthorized access using stolen credentials.
- Application Control on AD CS CAs: Restrict execution of unauthorized applications to prevent tools like Mimikatz from running.
- Hardware Security Module (HSM): Use HSMs to store CA private keys securely, making key extraction impossible.
- Access Restriction: Limit CA access strictly to a small group of privileged users, preferably fewer than Domain Admins.
- Privileged Access Pathways: Force access through jump servers and secure admin workstations with minimal open ports and services. Treat AD CS servers as Tier 0 assets.
- Dedicated CA Servers: Use CAs exclusively for AD CS functions, avoiding installation of unrelated applications or services.
- Backup Security: Encrypt backups and restrict backup access to Backup Administrators to prevent attackers targeting backups to retrieve CA material.
- Centralized Logging and Monitoring: Continuously monitor and analyze AD CS logs to detect suspicious activities swiftly.
Detecting Golden Certificate Attacks
Golden Certificate attacks are notoriously difficult to detect due to stealthy extraction of CA keys and certificates. However, some event auditing can help catch suspicious behavior if enabled properly:
- Enable Audit Object Access for Certificate Services via Group Policy under
Advanced Audit Policy Configuration > Security Settings. - Audit Backup and restore the CA database events within CA properties.
| Event ID | Source | Description |
| 70 | CAPI2 logs on root and subordinate CAs | Indicates a certificate export event. Filter for CA certificate subjects. |
| 1102 | Root and subordinate CAs | Audit log cleared event; may indicate an attempt to erase traces of malicious activity. |
| 4103 | Root and subordinate CAs | PowerShell pipeline execution logged; tools like Certutil or Mimikatz trigger this. |
| 4104 | Root and subordinate CAs | PowerShell script block logging for command capture, indicating possible malicious PowerShell use. |
| 4876 | Root and subordinate CAs | Backup of CA database started; may indicate suspicious backup activity but doesn’t log private key export. |
To increase visibility, enable CAPI2 logging for certificate export events and centrally aggregate these logs for timely analysis. Detecting abnormal PowerShell activity combined with unusual backups or cleared audit logs can provide critical early warnings.