false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.

t1552
t1552.004
t1649
endpoint
splunk

Techniques

T1552
T1552.004
T1649

Sample rules

Windows Export Certificate

source: splunk
technicques:
- T1552.004
- T1552
- T1649

Description

The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.

Detection logic

`certificateservices_lifecycle` EventCode=1007 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml 
| rename Computer as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `windows_export_certificate_filter`