Skip to content

Hide Navigation Hide TOC

Certificate Exported Via PowerShell (9e716b33-63b2-46da-86a4-bd3c3b9b5dfb)

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Cluster A Galaxy A Cluster B Galaxy B Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Certificate Exported Via PowerShell (9e716b33-63b2-46da-86a4-bd3c3b9b5dfb) Sigma-Rules 1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Certificate Exported Via PowerShell (9e716b33-63b2-46da-86a4-bd3c3b9b5dfb) Sigma-Rules 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2