Detection rules › Splunk
Windows Export Certificate
The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552.004 Unsecured Credentials: Private Keys, T1649 Steal or Forge Authentication Certificates |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| CertificateServicesClient-Lifecycle-System | 1007 | A certificate has been exported. |
Stages and Predicates
Stage 1: search
search EventCode=1007
Stage 2: xmlkv
xmlkv
Stage 3: stats
stats BY Computer, SubjectName, UserData_Xml
Stage 4: rename
rename
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Certificate Exported From Local Certificate Store (drops 1 filter this rule applies)