Certificates

Overview
Syntax
Output
Use Cases
Example Output
Remote Execution
Detection Considerations
Defensive Recommendations
Related Commands

Overview

The Certificates command enumerates personal certificates stored in both user and machine certificate stores. These certificates may be used for authentication, encryption, code signing, or other cryptographic operations, and can reveal valuable information about the system’s security posture and trust relationships.

Syntax

Seatbelt.exe Certificates

This command does not support remote execution.

Output

The command returns certificate information including:

Subject name
Issuer
Serial number
Validity period (NotBefore/NotAfter)
Thumbprint
Key usage
Enhanced key usage
Certificate template
Store location (User/Machine)

Use Cases

Red Team
Blue Team

Find certificates for authentication
Identify code signing certificates
Discover client authentication certificates
Locate certificates for credential theft
Identify trust relationships
Find expired or weak certificates

Example Output

====== Certificates ======

Store           : CurrentUser
Location        : My
Subject         : CN=user@domain.com
Issuer          : CN=Corporate CA, DC=domain, DC=com
ValidDate       : 1/15/2023 12:00:00 AM
ExpiryDate      : 1/15/2025 12:00:00 AM
Thumbprint      : 1234567890ABCDEF1234567890ABCDEF12345678
Template        : User
EnhancedKeyUsage: Client Authentication (1.3.6.1.5.5.7.3.2)

Store           : LocalMachine
Location        : My
Subject         : CN=SERVER01.domain.com
Issuer          : CN=Corporate CA, DC=domain, DC=com
ValidDate       : 3/1/2024 12:00:00 AM
ExpiryDate      : 3/1/2026 12:00:00 AM
Thumbprint      : ABCDEF1234567890ABCDEF1234567890ABCDEF12
Template        : WebServer
EnhancedKeyUsage: Server Authentication (1.3.6.1.5.5.7.3.1)

Remote Execution

This command does NOT support remote execution.

Detection Considerations

This command has minimal detection surface:

API Calls: Uses CryptoAPI functions to enumerate certificate stores
Low Privilege: No special privileges required for user stores
EDR Telemetry: May be logged as process behavior
No Network Activity: Operates entirely locally

Defensive Recommendations

Monitor execution of reconnaissance tools
Correlate with other enumeration activities
Track access to certificate private keys
Enable process creation logging

CertificateThumbprints - Thumbprints for all certificates
DPAPI MasterKeys - DPAPI master key enumeration
CredGuard - Credential Guard configuration

AutoRuns CertificateThumbprints

⌘I

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

Overview

Syntax

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Defensive Recommendations

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

​Overview

​Syntax

​Output

​Use Cases

​Example Output

​Remote Execution

​Detection Considerations

​Defensive Recommendations

​Related Commands

Overview

Syntax

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Defensive Recommendations

Related Commands