-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Events for Certificate Exports #2378
Comments
Hi @inthecards77 , Thank you for the share. Would you mind sharing a bit more details of the attack or a blog post related? Thank you |
Hi, sure thing.
I have exported user and system authentication certificates from Windows
machines to conduct impersonation attacks.
Steps:
1. get access to machine
2. get machine name/user name/password
3. export certificates and private keys
4. install certificates on new Windows VM with same machine name and user
name
5. connect to SSL VPN, Wireless Networks with 802.1x, etc as the user.
This can also be used against signing certificates to spoof mail from
another machine or sign code. Same windows event for any certificates
exported.
Let me know if you need more info.
Alan
…On Sun, Oct 9, 2022 at 9:11 AM Michael Haag ***@***.***> wrote:
[ External sender. Exercise caution. ]
Hi @inthecards77 <https://github.com/inthecards77> , Thank you for the
share. Would you mind sharing a bit more details of the attack or a blog
post related? Thank you
—
Reply to this email directly, view it on GitHub
<#2378 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A3F6WNA365D6WYZBOFIT2MLWCK76BANCNFSM6AAAAAAQRNZDN4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Merged
Thank you for this! I dug in on this topic and shipped a good amount of content around certificate services. Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I like to track these to look for possible impersonation threat.
Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Date: 6/17/2022 12:32:49 PM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.
Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Date: 6/18/2022 7:53:18 AM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.
The text was updated successfully, but these errors were encountered: