Detectionmediumtest

Certificate Exported Via PowerShell

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu May 189e716b33-63b2-46da-86a4-bd3c3b9b5dfbwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains:
            - 'Export-PfxCertificate '
            - 'Export-Certificate '
    condition: selection

False Positives

Legitimate certificate exports by administrators. Additional filters might be required.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0002 · Execution

Sub-techniques

T1552.004 · Private Keys T1059.001 · PowerShell

Related Rules

SimilarDetectionmedium

Certificate Exported Via PowerShell - ScriptBlock

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9e716b33-63b2-46da-86a4-bd3c3b9b5dfb

Status

test

Level

medium

Type

Detection

Created

Thu May 18

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml

Raw Tags

attack.credential-accessattack.executionattack.t1552.004attack.t1059.001

View on GitHub