Techniques
Sample rules
Certificate Exported From Local Certificate Store
- source: sigma
- technicques:
- t1649
Description
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Detection logic
condition: selection
selection:
EventID: 1007
Certificate Private Key Acquired
- source: sigma
- technicques:
- t1649
Description
Detects when an application acquires a certificate private key
Detection logic
condition: selection
selection:
EventID: 70