Certificate Exported Via PowerShell

Rule Info

Tags
DEMO
Name
Certificate Exported Via PowerShell
Id
9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
Date
2023-05-18 00:00:00
Modified
None
Description
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Author
Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule

Rule History

Title
Author
Commit
Date
feat: update metadata and add process creation version
Nasreddine Bencherchali
2023-05-18