LoFP / not commonly run by administrators. also whitelist your known good certificates

Techniques

• t1552
• t1552.004
• t1553
• t1553.004

Sample rules

Cisco Crypto Commands

• source: sigma
• technicques:
  • t1552
  • t1552.004
  • t1553
  • t1553.004

Description

Show when private keys are being exported from the device, or when new certificates are installed

Detection logic

condition: keywords
keywords:
- crypto pki export
- crypto pki import
- crypto pki trustpoint