2021-04-23 09:51:31 +02:00
title : Suspicious Export-PfxCertificate
2021-04-23 09:01:14 +02:00
id : aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
status : experimental
description : Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines
references :
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
tags :
- attack.credential_access
- attack.t1552.004
author : Florian Roth
date : 2021 /04/23
logsource :
product : windows
service : powershell
definition : 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection :
keywords :
EventID : 4104
ScriptBlockText|contains :
- "Export-PfxCertificate"
condition : keywords
falsepositives :
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level : high
