Techniques
Sample rules
Suspicious PFX File Creation
- source: sigma
- technicques:
- t1552
- t1552.004
Description
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_windows_tmp_key:
TargetFilename|contains|all:
- \Templates\Windows\Windows_TemporaryKey.pfx
- \CMake\
selection:
TargetFilename|endswith: .pfx