Windows Events for Certificate Exports #2378

inthecards77 · 2022-09-20T20:33:13Z

I like to track these to look for possible impersonation threat.

Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Date: 6/17/2022 12:32:49 PM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.

Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Date: 6/18/2022 7:53:18 AM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.

MHaggis · 2022-10-09T13:10:46Z

Hi @inthecards77 , Thank you for the share. Would you mind sharing a bit more details of the attack or a blog post related? Thank you

inthecards77 · 2022-10-10T15:38:01Z

Hi, sure thing. I have exported user and system authentication certificates from Windows machines to conduct impersonation attacks. Steps: 1. get access to machine 2. get machine name/user name/password 3. export certificates and private keys 4. install certificates on new Windows VM with same machine name and user name 5. connect to SSL VPN, Wireless Networks with 802.1x, etc as the user. This can also be used against signing certificates to spoof mail from another machine or sign code. Same windows event for any certificates exported. Let me know if you need more info. Alan

…

On Sun, Oct 9, 2022 at 9:11 AM Michael Haag ***@***.***> wrote: [ External sender. Exercise caution. ] Hi @inthecards77 <https://github.com/inthecards77> , Thank you for the share. Would you mind sharing a bit more details of the attack or a blog post related? Thank you — Reply to this email directly, view it on GitHub <#2378 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A3F6WNA365D6WYZBOFIT2MLWCK76BANCNFSM6AAAAAAQRNZDN4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

MHaggis · 2023-02-13T17:43:21Z

Thank you for this! I dug in on this topic and shipped a good amount of content around certificate services. Thank you!

ljstella assigned MHaggis Sep 20, 2022

MHaggis mentioned this issue Feb 13, 2023

The 📖 of Haag #2513

Merged

MHaggis closed this as completed Feb 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Windows Events for Certificate Exports #2378

Windows Events for Certificate Exports #2378

inthecards77 commented Sep 20, 2022

MHaggis commented Oct 9, 2022

inthecards77 commented Oct 10, 2022 via email

MHaggis commented Feb 13, 2023

Windows Events for Certificate Exports #2378

Windows Events for Certificate Exports #2378

Comments

inthecards77 commented Sep 20, 2022

MHaggis commented Oct 9, 2022

inthecards77 commented Oct 10, 2022 via email

MHaggis commented Feb 13, 2023