LoFP / there legitimate reasons to export certificates. investigate the activity to determine if it's benign

Techniques

• t1027

Sample rules

Certificate Exported Via Certutil.EXE

• source: sigma
• technicques:
  • t1027

Description

Detects the execution of the certutil with the “exportPFX” flag which allows the utility to export certificates.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: '-exportPFX '
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe