Windows Events for Certificate Exports

Question

Windows Events for Certificate Exports

inthecards77 opened this issue 2 years ago · comments

I like to track these to look for possible impersonation threat.

Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Date: 6/17/2022 12:32:49 PM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.

Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Date: 6/18/2022 7:53:18 AM
Event ID: 1007
Task Category: None
Level: Information
Keywords:
User: HP-AR\inthe
Computer: HP-AR
Description:
A certificate has been exported. Please refer to the "Details" section for more information.

Michael Haag · Answer 1 · Sun Oct 09 2022 21:10:46 GMT+0800 (China Standard Time)

Hi @inthecards77 , Thank you for the share. Would you mind sharing a bit more details of the attack or a blog post related? Thank you

Alan Ross · Answer 2 · Mon Oct 10 2022 23:38:01 GMT+0800 (China Standard Time)

Hi, sure thing. I have exported user and system authentication certificates from Windows machines to conduct impersonation attacks. Steps: 1. get access to machine 2. get machine name/user name/password 3. export certificates and private keys 4. install certificates on new Windows VM with same machine name and user name 5. connect to SSL VPN, Wireless Networks with 802.1x, etc as the user. This can also be used against signing certificates to spoof mail from another machine or sign code. Same windows event for any certificates exported. Let me know if you need more info. Alan

…

On Sun, Oct 9, 2022 at 9:11 AM Michael Haag ***@***.***> wrote: [ External sender. Exercise caution. ] Hi @inthecards77 <https://github.com/inthecards77> , Thank you for the share. Would you mind sharing a bit more details of the attack or a blog post related? Thank you — Reply to this email directly, view it on GitHub <#2378 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A3F6WNA365D6WYZBOFIT2MLWCK76BANCNFSM6AAAAAAQRNZDN4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Michael Haag · Answer 3 · Tue Feb 14 2023 01:43:21 GMT+0800 (China Standard Time)

Thank you for this! I dug in on this topic and shipped a good amount of content around certificate services. Thank you!