Certificate Exported Via PowerShell - ScriptBlock

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Sigma rule (View on GitHub)

 1title: Certificate Exported Via PowerShell - ScriptBlock
 2id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
 3related:
 4    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
 5      type: similar
 6status: test
 7description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
 8references:
 9    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
10    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
11    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
12author: Florian Roth (Nextron Systems)
13date: 2021-04-23
14modified: 2023-05-18
15tags:
16    - attack.credential-access
17    - attack.t1552.004
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection:
24        ScriptBlockText|contains:
25            - 'Export-PfxCertificate'
26            - 'Export-Certificate'
27    filter_optional_module_export:
28        ScriptBlockText|contains: 'CmdletsToExport = @('
29    condition: selection and not 1 of filter_optional_*
30falsepositives:
31    - Legitimate certificate exports by administrators. Additional filters might be required.
32level: medium

References

Related rules

to-top