LoFP
/
t1552.004
t1552.004
Title
Tags
false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.
t1552
t1552.004
t1649
endpoint
splunk
it is possible administrators or scripts may run these commands, filtering may be required.
t1059
t1059.001
t1505
t1505.004
t1552
t1552.004
t1562
t1562.002
t1649
endpoint
splunk
legitimate certificate exports by administrators. additional filters might be required.
t1059
t1059.001
t1552
t1552.004
windows
sigma
not commonly run by administrators. also whitelist your known good certificates
t1552
t1552.004
t1553
t1553.004
cisco
sigma
system administrators managing certificates.
t1552
t1552.004
windows
sigma