Techniques
Sample rules
Windows Steal Authentication Certificates Export Certificate
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-certificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_export_certificate_filter`
Windows Steal Authentication Certificates Export PfxCertificate
- source: splunk
- technicques:
- T1649
Description
The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-pfxcertificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_steal_authentication_certificates_export_pfxcertificate_filter`