2021-04-23 09:51:31 +02:00
title : Suspicious Export-PfxCertificate
2021-04-23 09:01:14 +02:00
id : aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
status : experimental
2021-08-18 18:58:20 +00:00
description : Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines
2021-04-23 09:01:14 +02:00
references :
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
tags :
- attack.credential_access
- attack.t1552.004
author : Florian Roth
date : 2021 /04/23
2021-08-04 14:49:50 +02:00
modified : 2021 /08/04
2021-04-23 09:01:14 +02:00
logsource :
product : windows
service : powershell
2021-08-21 09:50:59 +02:00
definition : Script Block Logging must be enable
2021-04-23 09:01:14 +02:00
detection :
2021-08-21 09:50:59 +02:00
PfxCertificate :
2021-04-23 09:01:14 +02:00
EventID : 4104
2021-08-04 14:49:50 +02:00
ScriptBlockText|contains : "Export-PfxCertificate"
2021-08-21 09:50:59 +02:00
condition : PfxCertificate
2021-04-23 09:01:14 +02:00
falsepositives :
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level : high
