5059 Key migration operation
Written when a cryptographic key migration operation is performed. It captures migration involving key export/import and draws attention from the angle of key-material exfiltration.
Overview
The subcategory is Audit Other System Events. It is generated when a key is migrated to another location/container (such as export then import). It is a key-related event alongside key file operation 5058.
How it is triggered
- Key backup/migration, moving a key to another machine/container.
Security review points
- Key migration (especially export) is an operation that takes a private key elsewhere and can relate to stealing a key for impersonation. Note migrations by unexpected subjects or of unexpected keys.
- Together with key file operation 5058, track access to and exfiltration of key material.
Notes for log review
- It also occurs in legitimate key management/migration operations. Match the target key, acting subject, and destination against normal patterns.
- Confirm migration of high-value keys (CA, code signing, DPAPI-related, etc.) at high priority.
Key fields
| Field | Meaning |
|---|---|
Key Name | The migrated key |
Operation | The migration type |
Process Name / Subject | The origin |