Suspicious PFX File Creation
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
Sigma rule (View on GitHub)
1title: Suspicious PFX File Creation
2id: dca1b3e8-e043-4ec8-85d7-867f334b5724
3status: test
4description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/14
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020/05/02
10modified: 2022/07/07
11tags:
12 - attack.credential_access
13 - attack.t1552.004
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith: '.pfx'
20 filter_main_windows_tmp_key:
21 TargetFilename|contains|all:
22 - '\Templates\Windows\Windows_TemporaryKey.pfx'
23 - '\CMake\'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - System administrators managing certificates.
27level: medium
References
-
Description The attacker then harvests private keys (T1145) Steal PFX certificate: [meterpreter (PowerShell)\*] > Get-PrivateKeys [meterpreter (PowerShell)\*] > exit
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- Cisco Crypto Commands
- Private Keys Reconnaissance Via CommandLine Tools
- Certificate Exported Via PowerShell - ScriptBlock
- PowerShell Get-Process LSASS
- Bitbucket User Login Failure