From a6e5a93e32c68f7a3e43ddd4051692c8db85fad6 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 18 May 2023 23:45:48 +0200
Subject: [PATCH] feat: update metadata and add process creation version

---
 ...ate.yml => posh_ps_export_certificate.yml} | 19 ++++++++------
 ...tion_win_powershell_export_certificate.yml | 25 +++++++++++++++++++
 2 files changed, 36 insertions(+), 8 deletions(-)
 rename rules/windows/powershell/powershell_script/{posh_ps_susp_export_pfxcertificate.yml => posh_ps_export_certificate.yml} (54%)
 create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml
similarity index 54%
rename from rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
rename to rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml
index fef616b6d7a..08979b077f1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml
@@ -1,14 +1,17 @@
-title: Certificate Exported via PowerShell
+title: Certificate Exported Via PowerShell - ScriptBlock
 id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+related:
+    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
+      type: similar
 status: test
-description: Detects commandlets that are used to export certificates from the local certificate store which are sometimes used by threat actors to steal private keys from compromised machines.
+description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
 references:
     - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
     - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
     - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
 author: Florian Roth (Nextron Systems)
 date: 2021/04/23
-modified: 2023/05/15
+modified: 2023/05/18
 tags:
     - attack.credential_access
     - attack.t1552.004
@@ -18,12 +21,12 @@ logsource:
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - 'Export-PfxCertificate'
             - 'Export-Certificate'
-    filter_moduleexport:
+    filter_optional_module_export:
         ScriptBlockText|contains: 'CmdletsToExport = @('
-    condition: selection and not filter_moduleexport
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
-    - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
-level: high
+    - Legitimate certificate exports by administrators. Additional filters might be required.
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml
new file mode 100644
index 00000000000..c4ecbb9ed1d
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml
@@ -0,0 +1,25 @@
+title: Certificate Exported Via PowerShell
+id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
+related:
+    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+      type: similar
+status: experimental
+description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
+references:
+    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
+    - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/18
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - 'Export-PfxCertificate '
+            - 'Export-Certificate '
+    condition: selection
+falsepositives:
+    - Legitimate certificate exports by administrators. Additional filters might be required.
+level: medium