Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By
GitBook
Installing Root Certificate
Defense Evasion
Execution
Adding a certificate with a native windows binary:
[email protected]
1
certutil
.
exe
-
addstore
-
f
-
user
Root
C
:
\Users\spot\Downloads\certnew
.
cer
Copied!
Checking to see the certificate got installed:
Adding the certificate with powershell:
[email protected]
1
Import
-
Certificate
-
FilePath
C
:
\Users\spot\Downloads\certnew
.
cer
-
CertStoreLocation
Cert
:
\CurrentUser\Root\
Copied!
Observations
Advanced poweshell logging to the rescue:
Commandline logging:
The CAs get installed to:
1
Computer\HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C6B22A75B0633E76C9F21A81F2EE6E991F5C94AE
Copied!
..so it is worth monitoring registry changes there:
References
Subvert Trust Controls: Install Root Certificate, Sub-technique T1553.004 - Enterprise | MITRE ATT&CK®
Previous
Hijacking Time Providers
Next
Powershell Profile Persistence
Last modified
3yr ago
Copy link
Contents
Execution
Observations
References