Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Sigma rule (View on GitHub)
1title: Certificate Exported From Local Certificate Store
2id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
3status: test
4description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
5references:
6 - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
7author: Zach Mathis
8date: 2023/05/13
9tags:
10 - attack.credential_access
11 - attack.t1649
12logsource:
13 product: windows
14 service: certificateservicesclient-lifecycle-system
15detection:
16 selection:
17 EventID: 1007 # A certificate has been exported
18 condition: selection
19falsepositives:
20 - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
21level: medium
References
-
Explore the common certificate abuses leveraged by current and relevant adversaries in the wild, the multiple methods they use to obtain certificates, how to gather relevant logs and ways to mitigate adversaries stealing certificates.
Read More
Related rules
- Certificate Private Key Acquired
- HackTool - Certify Execution
- HackTool - Certipy Execution
- Certificate Exported Via PowerShell
- Kerberos .kirbi Ticket Files