Detection rules › Sigma
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1649 Steal or Forge Authentication Certificates |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| CertificateServicesClient-Lifecycle-System | 1007 | A certificate has been exported. |
Stages and Predicates
Stage 1: selection
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Export Certificate (adds 1 filter)