CertDump is a Beacon Object File (BOF) for dumping certificates (and, when possible, private keys) from the target’s CurrentUser\My and LocalMachine\My stores. It was written for Cobalt Strike’s Beacon to provide quick, in-memory enumeration of certificates on both user and machine scopes.
-
Enumerates all certificates in:
CurrentUser\MyLocalMachine\My
-
Displays per‐certificate metadata:
- Issuer, Subject
- Validity dates (NotBefore / NotAfter)
- Thumbprint (SHA-1)
- Certificate Template OID (if present)
- Enhanced Key Usages (friendly names via OID lookup)
- Boolean flag indicating if a private key is associated
-
Attempts to export any CNG-based private keys in PKCS#8 PEM format
-
All output is piped through
BeaconFormatPrintf/BeaconPrintfso results appear in the Beacon console
A Makefile is provided for compiling both x86 and x64 BOFs. Simply run:
make###N CryptExportKey failed (0x80090029)
PrivateKey PEM : <NCryptExportKey failed (0x80090029)>
Cause: The private key is protected by lsass.exe and marked as non-exportable by CNG. Workaround: If you must extract that private key, consider using Mimikatz’s modules:
privilege::debug
crypto::capi
crypto::keys /export
CertDump is provided “as-is,” without warranty. Use at your own risk.