← Library
splApache-2.0from splunk/security_content

Windows Export Certificate

The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_export_certificate.yml
`certificateservices_lifecycle` EventCode=1007
  | xmlkv UserData_Xml
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY Computer, SubjectName, UserData_Xml
  | rename Computer as dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_export_certificate_filter`