Installing Root Certificate

Red Teaming Experiments

linkedin github @spotheplanet patreon

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

offensive security

reversing, forensics & misc

Internals

Cloud

Neo4j

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Installing Root Certificate

Defense Evasion

Execution
Adding a certificate with a native windows binary:
[email protected]
1
certutil.exe -addstore -f -user Root C:\Users\spot\Downloads\certnew.cer
Copied!
Checking to see the certificate got installed:
Adding the certificate with powershell:
[email protected]
1
Import-Certificate -FilePath C:\Users\spot\Downloads\certnew.cer -CertStoreLocation Cert:\CurrentUser\Root\
Copied!
Observations
Advanced poweshell logging to the rescue:
Commandline logging:
The CAs get installed to:
1
Computer\HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C6B22A75B0633E76C9F21A81F2EE6E991F5C94AE
Copied!
..so it is worth monitoring registry changes there:
References
Subvert Trust Controls: Install Root Certificate, Sub-technique T1553.004 - Enterprise | MITRE ATT&CK®

Hijacking Time Providers

Powershell Profile Persistence

Last modified 2yr ago

Copy link

Contents

Execution

Observations

References