Open mr-tz opened 3 years ago
It might make sense to cover the Windows API equivalents as part of this as well...
and:
CertOpenSystemStore
or CertOpenStore
"ROOT"
or L"ROOT"
CertAddCertificateContextToStore
or CertAddSerializedElementToStore
CertFreeCertificateContext
and/or CertCloseStore
references:
https://attack.mitre.org/techniques/T1553/004/
williballenthin: https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
certmgr.exe
localMachine
localMachineTrustedPublisher