Detectionmediumtest

Certificate Exported From Local Certificate Store

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Zach MathisCreated Sat May 1358c0bff0-40a0-46e8-b5e8-b734b84d2017windows

Log Source

Windowscertificateservicesclient-lifecycle-system

ProductWindows← raw: windows

Servicecertificateservicesclient-lifecycle-system← raw: certificateservicesclient-lifecycle-system

Detection Logic

detection:
    selection:
        EventID: 1007 # A certificate has been exported
    condition: selection

False Positives

Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

58c0bff0-40a0-46e8-b5e8-b734b84d2017

Status

test

Level

medium

Type

Detection

Created

Sat May 13

Author

Path

rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml

Raw Tags

attack.credential-accessattack.t1649