Skip to content

Hide Navigation Hide TOC

Certificate Exported Via PowerShell - ScriptBlock (aa7a3fce-bef5-4311-9cc1-5f04bb8c308c)

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Cluster A Galaxy A Cluster B Galaxy B Level
Certificate Exported Via PowerShell - ScriptBlock (aa7a3fce-bef5-4311-9cc1-5f04bb8c308c) Sigma-Rules Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2