Certificate Exported Via PowerShell

Rule Info

Name
Certificate Exported Via PowerShell
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Reference
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
Date
2023-05-18 00:00:00
Modified
None
Id
9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
Tags
attack.credential-access attack.execution attack.t1552.004 attack.t1059.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9e716b33-63b2-46da-86a4-bd3c3b9b5dfb

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
1d40f1d20
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Tessa Georgen
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28
60b8e9b70
Nasreddine Bencherchali
feat: update metadata and add process creation version
2023-05-18
a6e5a93e3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022