false positives may be generated based on an automated process or service that exports certificates on the regular. review is required before setting to alert. monitor for abnormal processes performing an export.

t1552
t1552.004
t1649
endpoint
splunk

Techniques

T1552
T1552.004
T1649

Sample rules

Windows Export Certificate

source: splunk
technicques:
- T1552.004
- T1552
- T1649

Description

The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources.

Detection logic

`certificateservices_lifecycle` EventCode=1007 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml 
| rename Computer as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `windows_export_certificate_filter`