false positives may be present and may need to be reviewed before this can be turned into a ttp. in addition, remove .pfx (standalone) if it's too much volume.

t1649
endpoint
splunk

Techniques

T1649

Sample rules

Windows Mimikatz Crypto Export File Extensions

source: splunk
technicques:
- T1649

Description

The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.keyx.rsa.pvk","*sign.rsa.pvk","*sign.dsa.pvk","*dsa.ec.p8k","*dh.ec.p8k", "*.pfx", "*.der") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Filesystem)` 
| `windows_mimikatz_crypto_export_file_extensions_filter`