Suspicious PFX File Creation

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

Sigma rule (View on GitHub)

 1title: Suspicious PFX File Creation
 2id: dca1b3e8-e043-4ec8-85d7-867f334b5724
 3status: test
 4description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
 5references:
 6    - https://github.com/OTRF/detection-hackathon-apt29/issues/14
 7    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
 8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 9date: 2020-05-02
10modified: 2022-07-07
11tags:
12    - attack.credential-access
13    - attack.t1552.004
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        TargetFilename|endswith: '.pfx'
20    filter_main_windows_tmp_key:
21        TargetFilename|contains|all:
22            - '\Templates\Windows\Windows_TemporaryKey.pfx'
23            - '\CMake\'
24    condition: selection and not 1 of filter_main_*
25falsepositives:
26    - System administrators managing certificates.
27level: medium

References

Related rules

to-top