sigmamediumHunting

Certificate Exported From Local Certificate Store

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

MITRE ATT&CK

T1649

credential-access

Detection Query

selection:
  EventID: 1007
condition: selection

Author

Zach Mathis

Created

2023-05-13

Data Sources

windowscertificateservicesclient-lifecycle-system

Platforms

windows

References

https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html

Tags

attack.credential-accessattack.t1649

Raw Content

title: Certificate Exported From Local Certificate Store
id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
status: test
description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
references:
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
    - attack.credential-access
    - attack.t1649
logsource:
    product: windows
    service: certificateservicesclient-lifecycle-system
detection:
    selection:
        EventID: 1007 # A certificate has been exported
    condition: selection
falsepositives:
    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium