Detectionmediumtest

Certificate Exported Via PowerShell - ScriptBlock

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Fri Apr 23Updated Thu May 18aa7a3fce-bef5-4311-9cc1-5f04bb8c308cwindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains:
            - 'Export-PfxCertificate'
            - 'Export-Certificate'
    filter_optional_module_export:
        ScriptBlockText|contains: 'CmdletsToExport = @('
    condition: selection and not 1 of filter_optional_*

False Positives

Legitimate certificate exports by administrators. Additional filters might be required.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.004 · Private Keys

Related Rules

SimilarDetectionmedium

Certificate Exported Via PowerShell

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

aa7a3fce-bef5-4311-9cc1-5f04bb8c308c

Status

test

Level

medium

Type

Detection

Created

Fri Apr 23

Modified

Thu May 18

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml

Raw Tags

attack.credential-accessattack.t1552.004

View on GitHub