Certificate Exported Via Certutil.EXE
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Sigma rule (View on GitHub)
1title: Certificate Exported Via Certutil.EXE
2id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
3status: test
4description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
5references:
6 - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
7author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
8date: 2023-02-15
9modified: 2024-03-05
10tags:
11 - attack.defense-evasion
12 - attack.t1027
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\certutil.exe'
19 - OriginalFileName: 'CertUtil.exe'
20 selection_cli:
21 CommandLine|contains|windash: '-exportPFX '
22 condition: all of selection_*
23falsepositives:
24 - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
25level: medium
References
-
The SolarWinds Orion compromise resulted in the first recorded use of Golden SAML in the wild. Learn how you can start detecting this in Splunk now.
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs
- File Decoded From Base64/Hex Via Certutil.EXE