Forensic

For testing purpose, I’m running the Windows 10 1903 development environment with Hyper-V, and I’m trying to export the Remote Desktop certificate private key with the latest version of mimikatz (2.2.0 20190813 Carlos update).

I use an administrator account, adn I run mimikatz from a command line running as administror.

After setting debug privilege (# privilege::debug) and enabling capi (# cryto::capi) I get an error when trying the export :

# crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:"Remote Desktop" /export
* System Store : ’CERT_SYSTEM_STORE_LOCAL_MACHINE’ (0x00020000)
* Store : ’Remote Desktop’

0. WinDev1907Eval
Key Container : TSSecKeySet1
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Provider type : RSA_FULL (1)
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090016)
Public export : OK - ’CERT_SYSTEM_STORE_LOCAL_MACHINE_Remote Desktop_0_WinDev1907Eval.der’
ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx (0x80090016)
Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x80090016)

Any idea how to export the private key?