heroui logo

Certificate Exported From Local Certificate Store

Sigma Rules

View Source
Summary
This detection rule identifies instances when an application exports a certificate from the local Windows certificate store, which can also include the risk of exporting the associated private key. Such actions can signify potential credential theft or misuse of certificate services, highlighting unauthorized access or applications attempting to exfiltrate sensitive cryptographic materials. The rule relies on the monitoring of specific event log entries, particularly EventID 1007, which logs certificate export actions in the Windows environment. Since legitimate applications may also perform certificate exports, it is essential to apply additional context or filtering to reduce false positives and focus attention on suspicious activities that may signify an attack or privilege misuse. This rule is important for maintaining security within heterogenous environments that utilize PKI (Public Key Infrastructure) and certificate-based authentication as part of their security protocols.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • Certificate
  • Logon Session
Created: 2023-05-13