dissect.target.plugins.os.windows.certlog

Module Contents

Classes

CertLogPlugin

Return all available data stored in CertLog databases.

Functions

format_fingerprint
format_serial_number
serial_number_as_int

Attributes

RequestAttributeRecord
CertificateExtensionRecord
CertificateRecord
RequestRecord
CRLRecord
CertLogRecord
FIELD_MAPPINGS
FORMATING_FUNC

dissect.target.plugins.os.windows.certlog.RequestAttributeRecord

dissect.target.plugins.os.windows.certlog.CertificateExtensionRecord

dissect.target.plugins.os.windows.certlog.CertificateRecord

dissect.target.plugins.os.windows.certlog.RequestRecord

dissect.target.plugins.os.windows.certlog.CRLRecord

dissect.target.plugins.os.windows.certlog.CertLogRecord

dissect.target.plugins.os.windows.certlog.FIELD_MAPPINGS

dissect.target.plugins.os.windows.certlog.format_fingerprint(input_hash: str | None) → tuple[str | None, str | None, str | None]

dissect.target.plugins.os.windows.certlog.format_serial_number(serial_number_as_hex: str | None) → str | None

dissect.target.plugins.os.windows.certlog.serial_number_as_int(serial_number_as_hex: str | None) → int | None

dissect.target.plugins.os.windows.certlog.FORMATING_FUNC: dict[str, collections.abc.Callable[[Any], Any]]

class dissect.target.plugins.os.windows.certlog.CertLogPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Return all available data stored in CertLog databases.

Certificate Authority databases are databases related to the Active Directory Certificate Services (AD CS) feature.

References

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-csra/5f06c74c-1a29-4fdf-b8dd-ae3300d1b90d

• https://assets.crowdstrike.com/is/content/crowdstrikeinc/investigating-active-directory-certificate-abusepdf

• https://learn.microsoft.com/en-gb/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/move-certificate-server-database-log-files

__namespace__ = 'certlog'

Defines the plugin namespace.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

read_records(table_name: str, record_type: CertLogRecord) → collections.abc.Iterator[CertLogRecord]

requests() → collections.abc.Iterator[RequestRecord]

Return the contents of the Requests table from all Certificate Authority databases.

Gives insight into certificates requested (caller name, request ID, request attributes).

request_attributes() → collections.abc.Iterator[RequestAttributeRecord]

Return the contents of the RequestAttributes table from all Certificate Authority databases.

Gives insight into attributes of requested certificates (same information as in request_attributes field of Requests table).

crls() → collections.abc.Iterator[CRLRecord]

Return the contents of the CRLs table from all Certificate Authority databases.

Gives insight into the Certificate Revocation List of a Certificate Authority.

certificates() → collections.abc.Iterator[CertificateRecord]

Return the contents of Certificates table from all Certificate Authority databases.

Gives insight into issued certificates for a Certificate authority (public key, validity date).

certificate_extensions() → collections.abc.Iterator[CertificateExtensionRecord]

Return the contents of CertificateExtensions table from all Certificate Authority databases.

Gives insight into certificate extensions for a CA.