Detectionmediumtest

Certificate Private Key Acquired

Detects when an application acquires a certificate private key

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Zach MathisCreated Sat May 13e2b5163d-7deb-4566-9af3-40afea6858c3windows

Log Source

Windowscapi2

ProductWindows← raw: windows

Servicecapi2← raw: capi2

Definition

Requirements: The CAPI2 Operational log needs to be enabled

Detection Logic

detection:
    selection:
        EventID: 70 # Acquire Certificate Private Key
    condition: selection

False Positives

Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

e2b5163d-7deb-4566-9af3-40afea6858c3

Status

test

Level

medium

Type

Detection

Created

Sat May 13

Author

Path

rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml

Raw Tags

attack.credential-accessattack.t1649