Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

Show when private keys are being exported from the device, or when new certificates are installed