Certificate Exported Via PowerShell

calendar Apr 1, 2024 · attack.credential_access attack.execution attack.t1552.004 attack.t1059.001  ·
Share on: linkedin copy

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Sigma rule (View on GitHub)

 1title: Certificate Exported Via PowerShell
 2id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
 3related:
 4    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
 5      type: similar
 6status: test
 7description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
 8references:
 9    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
10    - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
11    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/05/18
14tags:
15    - attack.credential_access
16    - attack.execution
17    - attack.t1552.004
18    - attack.t1059.001
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection:
24        CommandLine|contains:
25            - 'Export-PfxCertificate '
26            - 'Export-Certificate '
27    condition: selection
28falsepositives:
29    - Legitimate certificate exports by administrators. Additional filters might be required.
30level: medium

References

Related rules

to-top