Certificate Theft
Status: Scaffold — content in progress
ATT&CK: T1649, T1552.004
Severity: High
What It Enables
A stolen certificate + private key for a valid user:
- Authenticate as that user via Kerberos PKINIT
- Survives password resets
- No credentials in memory — harder to detect with standard credential hunting
Theft Methods
| Method | Command | Notes |
|---|---|---|
| Mimikatz export | mimikatz# crypto::certificates /export | Requires local admin |
| certutil copy | certutil -exportPFX -p password cert.pfx | For user's own certs |
| DPAPI blob theft | Mimikatz dpapi::certs | Decrypt user's cert container |
| File search | find / -name "*.pfx" -o -name "*.p12" | Cert files on disk |
Cross-Links
| Topic | Link |
|---|---|
| ADCS Protocol | adcs |
| PKI Overview | pki-overview |
| Detection | detect-certificate-attacks |