title: Suspicious Export-PfxCertificate
author: Florian Roth
date: 2021/04/23
description: Detects Commandlet that is used to export certificates from the local
    certificate store and sometimes used by threat actors to steal private keys from
    compromised machines
detection:
    SELECTION_1:
        ScriptBlockText: '*Export-PfxCertificate*'
    condition: SELECTION_1
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
    in the environment - filter if unusable)
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
level: high
logsource:
    category: ps_script
    definition: Script Block Logging must be enable
    product: windows
modified: 2021/08/04
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
status: experimental
tags:
- attack.credential_access
- attack.t1552.004
yml_filename: powershell_suspicious_export_pfxcertificate.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script