unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. extraction of certificate has been observed during attacks such as golden saml and other campaigns targeting federated services.

endpoint
splunk

Techniques

Sample rules

Certutil exe certificate extraction

source: splunk
technicques:

Description

This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `certutil_exe_certificate_extraction_filter`