/
windows_powershell_export_pfxcertificate.yml
60 lines (60 loc) · 2.3 KB
/
windows_powershell_export_pfxcertificate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Windows PowerShell Export PfxCertificate
id: ed06725f-6da6-439f-9dcc-ab30e891297c
version: 1
date: '2023-02-01'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic identifies the PowerShell Cmdlet export-pfxcertificate
utilizing Script Block Logging. This particular behavior is related to an adversary
attempting to steal certificates local to the Windows endpoint within the Certificate
Store.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*")
| rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime
by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: It is possible administrators or scripts may run these commands,
filtering may be required.
references:
- https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj
- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
tags:
analytic_story:
- Windows Certificate Services
asset_type: Endpoint
confidence: 60
impact: 60
message: A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$,
attempting to export a certificate.
mitre_attack_id:
- T1552.004
- T1552
- T1649
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- dest
- EventCode
risk_score: 36
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog
update_timestamp: true