Certificate Exported Via PowerShell - ScriptBlockMay 18, 2023 · attack.credential_access attack.t1552.004 ·
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Private Keys Reconnaissance Via CommandLine ToolsMay 5, 2023 · attack.credential_access attack.t1552.004 ·
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
PowerShell Get-Process LSASSFeb 21, 2023 · attack.credential_access attack.t1552.004 ·
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Suspicious PFX File CreationFeb 7, 2023 · attack.credential_access attack.t1552.004 ·
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
Cisco Crypto CommandsJan 4, 2023 · attack.credential_access attack.defense_evasion attack.t1553.004 attack.t1552.004 ·
Show when private keys are being exported from the device, or when new certificates are installed