
Rule Info
Tags
DEMO
Name
Certificate Exported Via PowerShell
Id
9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
Date
2023-05-18 00:00:00
Modified
None
Description
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Author
Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
Rule History
Title
Author
Commit
Date