Suspicious PFX File Creation
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
Sigma rule (View on GitHub)
1title: Suspicious PFX File Creation
2id: dca1b3e8-e043-4ec8-85d7-867f334b5724
3status: test
4description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/14
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020-05-02
10modified: 2022-07-07
11tags:
12 - attack.credential-access
13 - attack.t1552.004
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith: '.pfx'
20 filter_main_windows_tmp_key:
21 TargetFilename|contains|all:
22 - '\Templates\Windows\Windows_TemporaryKey.pfx'
23 - '\CMake\'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - System administrators managing certificates.
27level: medium
References
Related rules
- Certificate Exported Via PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Cisco Crypto Commands
- PowerShell Get-Process LSASS
- Private Keys Reconnaissance Via CommandLine Tools