Certificate Exported Via PowerShell

Rule Info

Name
Certificate Exported Via PowerShell
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Date
2023-05-18 00:00:00
Modified
None
Id
9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
Tags
attack.credential-access attack.execution attack.t1552.004 attack.t1059.001
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
Tessa Georgen
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28
Nasreddine Bencherchali
feat: update metadata and add process creation version
2023-05-18