{
	"id": "20701747-260a-4522-bc7d-d45fdd8211d9",
	"created_at": "2026-04-06T00:10:09.068521Z",
	"updated_at": "2026-04-10T13:13:02.342045Z",
	"deleted_at": null,
	"sha1_hash": "4dac1de50864a3b66110ad8af0e9a7735f1f4583",
	"title": "GitHub - TheWover/CertStealer: A .NET tool for exporting and importing certificates without touching disk.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46597,
	"plain_text": "GitHub - TheWover/CertStealer: A .NET tool for exporting and\r\nimporting certificates without touching disk.\r\nBy TheWover\r\nArchived: 2026-04-05 22:00:29 UTC\r\nA (v3.5 compatible) .NET tool for stealing and importing certificates in the Windows certificate store without\r\ntouching disk. Useful for red team operations where you need to poach a certificate for pivoting purposes and\r\nwant to do so with an in-memory post-ex payload.\r\nThis tool is flagged as malware by Defender. DO NOT run it from disk on-target. DO NOT run it in memory on\r\ntarget WITHOUT AMSI BYPASSED. And DO obfuscate it with a tool like ConfuserEx, just in case.\r\nIf you export a certificate with a private key as PFX then the password will be blank by default. Blank, not non-existent. Optionally, you may specify a password with the --password argument.\r\nIf keys are marked as not exportable then you will have to patch CAPI to allow export of non-exportable keys in\r\nthe current process. This can be done with mimikatz via the crypto::capi command. If you are trying to export\r\ndevice certificates that are not exportable, mimikatz can instead patch the memory of the running lsass.exe process\r\nto bypass protections using the crypto::cng command.\r\nAlternatively, you may extract the private keys manually using DPAPI operations. Use the user's DPAPI\r\nmasterkey, (or a password, domain DPAPI private key, or system backup key to first decrypt the user's masterkey)\r\nto extract and decrypt the user's certificates from the registry. This can be done with SharpDPAPI or mimikatz. For\r\nmore details, checkout the THEFT2 and THEFT3 sections of SpecterOps's whitepaper: Certified Pre-Owned.\r\n(Really you should just read that whole paper.)\r\nExamples:\r\nDisplay this help message: CertStealer.exe --help\r\nListing all certs: CertStealer.exe --list\r\nListing all certs within the My store in CurrentUser: CertStealer.exe --name user --store My --list\r\nListing all certs within the CA store in LocalMachine: CertStealer.exe --name local --store CA --list\r\nExporting a cert by its thumbprint: CertStealer.exe --export AF724CB571166C24C0799E65BE4772B10814BDD2\r\nExporting a cert by its thumbprint as PFX: CertStealer.exe --export pfx AF724CB571166C24C0799E65BE4772B10814BDD2\r\nExporting a cert by its thumbprint as PFX, specifying a password: CertStealer.exe --password pass123 --export pf\r\nImporting a cert into the My store in CurrentUser: CertStealer.exe --import My user Dw...snipped...gY=\r\nImporting a cert into the CA store in LocalMachine: CertStealer.exe --import CA local Dw...snipped...gY=\r\nUse verbose output (works for list and import): CertStealer.exe --list --verbose\r\nSource: https://github.com/TheWover/CertStealer\r\nhttps://github.com/TheWover/CertStealer\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/TheWover/CertStealer"
	],
	"report_names": [
		"CertStealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dac1de50864a3b66110ad8af0e9a7735f1f4583.pdf",
		"text": "https://archive.orkl.eu/4dac1de50864a3b66110ad8af0e9a7735f1f4583.txt",
		"img": "https://archive.orkl.eu/4dac1de50864a3b66110ad8af0e9a7735f1f4583.jpg"
	}
}