Discover and Parse Certificate Files for offline analysis

[joeavanzato]

Currently we are using PowerShell cmdlets to retrieve this information - need to get the same information from the files directly for use in deadbox analysis.

[baileydauterman]

A note on certificates, whenever certs are being parsed - if there is a PIV/CAC cert tied to the machine it will always popup the authentication menu and will hang the script. I think this issue will fix that problem if we are able to access the cert files directly.

[baileydauterman]

After looking at the function, most likely related to the Test-Certificate call

[joeavanzato]

Interesting - that is good to know - yes parsing cert files directly would probably help to alleviate that - the regex is a little messy right now and could also be improved - basically I'm pulling CN out of the Issuer/Subject if it exists and O otherwise but there might be a cleaner way to approach this. Is there anyway to detect if the current cert is PIV/CAC-based and skip testing for that one as a temporary solution?

[baileydauterman]

This regex might be a bit better for parsing the signer out

$certRegex = "CN=(?<cn>.*?),\s+(?:OU=(?:.*?))+,\s+O=(?<signer>.*?),"
foreach ($cert in $certs) {
    if ($cert.Issuer -match $certRegex) {
        $matches["signer"].Trim('"')
    }
    $matches.Clear()
}