Event ID 1007 — A certificate has been exported.

Provider: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Channel: Operational
Level: Informational
Collection Priority: Recommended (NSA)

Description

A certificate has been exported. Please refer to the "Details" section for more information.

Message #

A certificate has been exported. Please refer to the "Details" section for more information.

Fields #

Name	Description
`CertNotificationData.ProcessName`	—
`CertNotificationData.AccountName`	—
`CertNotificationData.Context`	—
`CertNotificationData.CertificateDetails`	—
`EventWriteData` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
    "guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
    "event_source_name": "",
    "event_id": 1007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T23:18:01.045510+00:00",
    "event_record_id": 15,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0002-70D1-280D33B3DC01"
    },
    "execution": {
      "process_id": 12036,
      "thread_id": 13520
    },
    "channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "user_data": {
    "CertNotificationData": {
      "ProcessName": "powershell.exe",
      "AccountName": "ludus\\domainadmin",
      "Context": "Machine",
      "CertificateDetails": {
        "Thumbprint": "f3c772f22d13c2ce651009a42dfef27f1b371f59",
        "SubjectNames": {
          "SubjectName": "CN=selftest.ludus.domain",
          "SubjectName_1": "selftest.ludus.domain"
        },
        "EKUs": {
          "EKU": {
            "Name": "Client Authentication",
            "OID": "1.3.6.1.5.5.7.3.2"
          },
          "EKU_1": {
            "Name": "Server Authentication",
            "OID": "1.3.6.1.5.5.7.3.1"
          }
        },
        "NotValidAfter": "2026-04-12T23:18:01Z"
      }
    }
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Certificate Exported From Local Certificate Store source medium: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Splunk # view in reference

Windows Export Certificate source: The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.