UC0005: Theft of user certificate and private key via CryptoAPI
Summary
| ID | UC0005 |
|---|---|
| Brief Description | Attackers can theft certificate and private key via CryptoAPI to authenticate on behalf of the certificate owner using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension. |
| Author | @ERMACK_COMMUNITY |
| Creation Date | 2023/05/29 |
| Modification Date | 2023/06/06 |
| ATT&CK Tactics | |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
Attackers can theft certificate and private key to authenticate on behalf of the certificate owner using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension.
To extract the certificate and private key, attackers can use CryptoAPI - an interface that provides work with cryptographic providers. In particular, CryptoAPI allows you to work with certificates and their private keys.
The private key of a certificate can be marked as exportable or non-exportable. If the private key is marked as non-exportable, the attacker will need additional steps to extract it.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Host | Compromised host | Host where the certificate and private key are stored and on which attackers can execute code from the user's context |
| Active directory account | Certificate owner user | The user who owns the certificate and from whose context code execution is available |
| Side Observables | ||
| File | PKCS#12 format file (.pfx or .p12) | File with a certificate and an associated private key |
| File | Executable or script file | Executable or script file that attackers use to carry out an attack (e.g. mimikatz.exe) |
Attack result
The result of this attack is a user certificate and an associated private key, which the attacker can use to carry out further attacks (e.g. Pass the certificate)
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Host | Compromised host on which attackers can execute code from the user's context |
| Active directory account | The user from whose context code execution is available |
| Result Consequences | |
| Certificate | User certificate that is stored on the machine |
| Private key | Private key associated with the user certificate |
Attack progress
Depending on whether the private key is exportable or non-exportable, there can be two attack options. In the case where the private key is exportable, the attacker simply extracts the certificate and the private key using, for example, Export-PfxCertificate Powershell scriptlet. If the private key is non-exportable, the attacker first patches the memory to bypass the non-exportability of the private key and then extracts the certificate and private key.
First option - Private key is exportable
- Create password for save pfx file
- Export certificate and private key as pfx file
Example this attack
PS> $pwd = ConvertTo-SecureString '123' -Force -AsPlainText
PS> Get-ChildItem -Path Cert:\CurrentUser\My\certificate_thumbprint | Export-PfxCertificate -FilePath C:\cert.pfx -Password $pwd
Second option - Private key is non-exportable
- Patching memory to bypass non-exportability private key
- Export certificate and private key as pfx file
Example this attack
Attack-flow diagram
