ENCRYPTION KEY LOG FILE

this is a text file that contains unique key pairs to decrypt the encrypted traffic session. These key pairs are automatically created (per session) when a connection is established with an SSL/TLS-enabled webpage.

BENEFITS

Centrally enables TLS decryption for security monitoring
Detects malware C2 traffic using HTTPS
Assists in forensic investigations

METHOD 1: PER HOST METHOD

#DEPLOY LOGGING
# Define log file location
$LogPath = "C:\TLSLogs"
$LogFile = "$LogPath\$(whoami).log"

# Create the TLS log directory if it doesn't exist
if (!(Test-Path -Path $LogPath)) {
    New-Item -Path $LogPath -ItemType Directory -Force
    Write-Host "Created TLS log directory at $LogPath"
}

# Set SSLKEYLOGFILE environment variable for all users
[System.Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $LogFile, [System.EnvironmentVariableTarget]::Machine)

# Apply changes immediately
$env:SSLKEYLOGFILE = $LogFile
Write-Host "SSLKEYLOGFILE set to $LogFile"

# Verify the change
$SetValue = [System.Environment]::GetEnvironmentVariable("SSLKEYLOGFILE", "Machine")
Write-Host "Verification: SSLKEYLOGFILE is set to $SetValue"

# Restart browser processes to apply changes (Optional)
Get-Process chrome, firefox -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "Restarted browsers to apply SSL key logging."

# Confirm completion
Write-Host "SSL key logging is now enabled. Check logs at: $LogFile"

METHOD 2: GPO METHOD

#GPO IMPLEMENTATION
# Define variables
$GPOName = "Enable SSL Key Logging"
$LogPath = "C:\TLSLogs"
$LogFile = "$LogPath\%USERNAME%.log"
$DomainName = "yourdomain.com"  # Replace with your domain name

# Import GroupPolicy module
Import-Module GroupPolicy

# Create a new GPO for SSL Key Logging
$GPO = New-GPO -Name $GPOName -Comment "GPO to enable SSL Key Logging for all machines" 

# Configure the GPO to set the SSLKEYLOGFILE environment variable
# Set the environment variable in the GPO (Computer Configuration → Preferences → Windows Settings → Environment Variables)
$GPO | Set-GPRegistryValue -Key "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -ValueName "SSLKEYLOGFILE" -Value $LogFile -Type String

# Link the GPO to the domain or specific Organizational Unit (OU)
# Example to link it to the root of the domain
New-GPLink -Name $GPOName -Target "DC=$($DomainName -replace '\.', ',DC=')"

# Force a group policy update on all machines (can be done later if needed)
Invoke-GPUpdate -Force

Write-Host "SSL Key Logging GPO deployed successfully."

METHOD 3: DOMAIN JOINED DEPLOYMENT

#DOMAIN JOINED IMPLEMENTATION GPO
$Computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name

foreach ($PC in $Computers) {
    Invoke-Command -ComputerName $PC -ScriptBlock {
        $LogPath = "C:\TLSLogs"
        $LogFile = "$LogPath\$(whoami).log"

        if (!(Test-Path -Path $LogPath)) {
            New-Item -Path $LogPath -ItemType Directory -Force
        }

        [System.Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", $LogFile, [System.EnvironmentVariableTarget]::Machine)
        Write-Host "SSLKEYLOGFILE set on $env:COMPUTERNAME"
    }
}

CENTRALIZED COLLECTION

# Define the central log collection share
$CentralLogPath = "\\Server\TLSKeys"

# Get all domain computers
$Computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name

# Iterate through each machine and collect logs
foreach ($PC in $Computers) {
    $RemoteLogFile = "\\$PC\C$\TLSLogs\$env:USERNAME.log"
    $DestFile = "$CentralLogPath\$PC-$(Get-Date -Format yyyyMMddHHmmss).log"

    if (Test-Path $RemoteLogFile) {
        try {
            Copy-Item -Path $RemoteLogFile -Destination $DestFile -Force
            Write-Host "Successfully collected logs from $PC"
        } catch {
            Write-Host "Failed to copy log from $PC"
        }
    } else {
        Write-Host "No log file found on $PC"
    }
}

DECRYPTING HTTPS TRAFFIC W/ KEYLOG FILE

root@dco:~$ wireshark &

WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
 (Pre)-Master-Secret log filename: KeyLogFile.txt
 
 * all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
 
#step 1: get an overview
WireShark
 Filter:  http2
 
 * Decompressed header info and HTTP2 packet details are available after decrypting the traffic. Depending on the packet details, you can also have the following data formats:
    - Frame, Decrypted TLS, Decompressed Header, Reassembled TCP, Reassembled SSL

PreviousSNI INSPECTION Next02.LOG ANALYSIS

Last updated 9 months ago