LoFP / legitimate certificate exports by administrators. additional filters might be required.

Techniques

• t1059
• t1059.001
• t1552
• t1552.004

Sample rules

Certificate Exported Via PowerShell

• source: sigma
• technicques:
  • t1059
  • t1059.001
  • t1552
  • t1552.004

Description

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - 'Export-PfxCertificate '
  - 'Export-Certificate '

Certificate Exported Via PowerShell - ScriptBlock

• source: sigma
• technicques:
  • t1552
  • t1552.004

Description

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_module_export:
  ScriptBlockText|contains: CmdletsToExport = @(
selection:
  ScriptBlockText|contains:
  - Export-PfxCertificate
  - Export-Certificate