← Back to Explore
sigmamediumHunting
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Detection Query
selection:
ScriptBlockText|contains:
- Export-PfxCertificate
- Export-Certificate
filter_optional_module_export:
ScriptBlockText|contains: CmdletsToExport = @(
condition: selection and not 1 of filter_optional_*
Author
Florian Roth (Nextron Systems)
Created
2021-04-23
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.credential-accessattack.t1552.004
Raw Content
title: Certificate Exported Via PowerShell - ScriptBlock
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
related:
- id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
type: similar
status: test
description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
- https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-05-18
tags:
- attack.credential-access
- attack.t1552.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Export-PfxCertificate'
- 'Export-Certificate'
filter_optional_module_export:
ScriptBlockText|contains: 'CmdletsToExport = @('
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate certificate exports by administrators. Additional filters might be required.
level: medium