Skip to content

Hide Navigation Hide TOC

Certificate Exported Via PowerShell - ScriptBlock (aa7a3fce-bef5-4311-9cc1-5f04bb8c308c)

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Cluster A Galaxy A Cluster B Galaxy B Level
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Certificate Exported Via PowerShell - ScriptBlock (aa7a3fce-bef5-4311-9cc1-5f04bb8c308c) Sigma-Rules 1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2