Windows PowerShell Export PfxCertificate

Try in Splunk Security Cloud

Description

The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-02-01
• Author: Michael Haag, Splunk
• ID: ed06725f-6da6-439f-9dcc-ab30e891297c

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1552.004	Private Keys	Credential Access

T1552

Unsecured Credentials

Credential Access

T1649

Steal or Forge Authentication Certificates

Credential Access

Kill Chain Phase

• Actions on Objectives

NIST

• DE.CM

CIS20

• CIS 3
• CIS 5
• CIS 16

CVE

Search

`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") 
| rename Computer as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_export_pfxcertificate_filter`

Macros

The SPL above uses the following Macros:

• powershell
• security_content_ctime

windows_powershell_export_pfxcertificate_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• ScriptBlockText
• dest
• EventCode

How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

It is possible administrators or scripts may run these commands, filtering may be required.

Associated Analytic Story

• Windows Certificate Services

RBA

Risk Score	Impact	Confidence	Message
36.0	60	60	A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj
• https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log

source | version: 1