Rules Contributing to Suspicious Kerberos Authentication from Golden Certificate Alert

The following rules are used to identify suspicious Kerberos certificate-based authentication activity potentially resulting from Golden Certificate in Active Directory. Any one or more of these will trigger the Suspicious Kerberos Authentication from Golden Certificate Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Suspicious Active Directory Kerberos Certificate Authentication

A Golden Certificate is a persistence technique that expands upon an AD CS compromise. If malicious actors obtain administrative access to a CA, they can extract a CA certificate and private key. Once obtained, these can be used to forge valid certificates for client authentication to impersonate any other user object in the domain. This rule detects unusual certificate usage by monitoring certificate-based authentication.

More details

Rule ID

suspicious_kerberos_certificate_authentication

Query

{'selection': {'EventID': 4768}, 'condition': 'selection | count() by TargetUserName > 5', 'timeframe': '15m'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows security events

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1558

References

https://rootguard.gitbook.io/cyberops/detection-engineering/ad-attack-detections-and-mitigations/golden-certificate

Severity

Suppression Logic Based On

event_data.CertIssuerName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2025/06/16	medium	False positives are possible if multiple legitimate users requested Kerberos authentication tickets from legitimate Active Directory Certificate Services (AD CS). We recommend excluding known trusted accounts or administrators.