Certificate Exported Via PowerShell

Rule Info

Tags
DEMO
Name
Certificate Exported Via PowerShell
Id
9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
Date
2023-05-18 00:00:00
Modified
None
Description
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Reference
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
Author
Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9e716b33-63b2-46da-86a4-bd3c3b9b5dfb

Rule History

Title
Author
Commit
Date
feat: update metadata and add process creation version
Nasreddine Bencherchali
a6e5a93e3
2023-05-18
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022