t1552.004 | LoFP

t1552.004

Title	Tags
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.	t1552 t1552.004 t1649 endpoint splunk
it is possible administrators or scripts may run these commands, filtering may be required.	t1059 t1059.001 t1505 t1505.004 t1552 t1552.004 t1562 t1562.002 t1649 endpoint splunk
legitimate certificate exports by administrators. additional filters might be required.	t1059 t1059.001 t1552 t1552.004 windows sigma
not commonly run by administrators. also whitelist your known good certificates	t1552 t1552.004 t1553 t1553.004 cisco sigma
system administrators managing certificates.	t1552 t1552.004 windows sigma