mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
10 KiB
10 KiB
| Title | Suspicious Certutil Command |
|---|---|
| Description | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References |
|
| Author | Florian Roth, juju4, keepwatch |
| Other Tags |
|
Detection Rules
Sigma rule
title: Suspicious Certutil Command
id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
modified: 2020/09/05
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
- https://twitter.com/subTee/status/888071631528235010
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -decode *'
- '* /decode *'
- '* -decodehex *'
- '* /decodehex *'
- '* -urlcache *'
- '* /urlcache *'
- '* -verifyctl *'
- '* /verifyctl *'
- '* -encode *'
- '* /encode *'
- '*certutil* -URL*'
- '*certutil* /URL*'
- '*certutil* -ping*'
- '*certutil* /ping*'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
powershell
Get-WinEvent | where {($_.message -match "CommandLine.*.* -decode .*" -or $_.message -match "CommandLine.*.* /decode .*" -or $_.message -match "CommandLine.*.* -decodehex .*" -or $_.message -match "CommandLine.*.* /decodehex .*" -or $_.message -match "CommandLine.*.* -urlcache .*" -or $_.message -match "CommandLine.*.* /urlcache .*" -or $_.message -match "CommandLine.*.* -verifyctl .*" -or $_.message -match "CommandLine.*.* /verifyctl .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* /encode .*" -or $_.message -match "CommandLine.*.*certutil.* -URL.*" -or $_.message -match "CommandLine.*.*certutil.* /URL.*" -or $_.message -match "CommandLine.*.*certutil.* -ping.*" -or $_.message -match "CommandLine.*.*certutil.* /ping.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
winlog.event_data.CommandLine.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e011a729-98a6-4139-b5c4-bf6f6dd8239a <<EOF\n{\n "metadata": {\n "title": "Suspicious Certutil Command",\n "description": "Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility",\n "tags": [\n "attack.defense_evasion",\n "attack.t1140",\n "attack.command_and_control",\n "attack.t1105",\n "attack.s0160",\n "attack.g0007",\n "attack.g0010",\n "attack.g0045",\n "attack.g0049",\n "attack.g0075",\n "attack.g0096"\n ],\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\ \\\\-decode\\\\ * OR *\\\\ \\\\/decode\\\\ * OR *\\\\ \\\\-decodehex\\\\ * OR *\\\\ \\\\/decodehex\\\\ * OR *\\\\ \\\\-urlcache\\\\ * OR *\\\\ \\\\/urlcache\\\\ * OR *\\\\ \\\\-verifyctl\\\\ * OR *\\\\ \\\\/verifyctl\\\\ * OR *\\\\ \\\\-encode\\\\ * OR *\\\\ \\\\/encode\\\\ * OR *certutil*\\\\ \\\\-URL* OR *certutil*\\\\ \\\\/URL* OR *certutil*\\\\ \\\\-ping* OR *certutil*\\\\ \\\\/ping*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\ \\\\-decode\\\\ * OR *\\\\ \\\\/decode\\\\ * OR *\\\\ \\\\-decodehex\\\\ * OR *\\\\ \\\\/decodehex\\\\ * OR *\\\\ \\\\-urlcache\\\\ * OR *\\\\ \\\\/urlcache\\\\ * OR *\\\\ \\\\-verifyctl\\\\ * OR *\\\\ \\\\/verifyctl\\\\ * OR *\\\\ \\\\-encode\\\\ * OR *\\\\ \\\\/encode\\\\ * OR *certutil*\\\\ \\\\-URL* OR *certutil*\\\\ \\\\/URL* OR *certutil*\\\\ \\\\-ping* OR *certutil*\\\\ \\\\/ping*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Certutil Command\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
CommandLine.keyword:(* \\-decode * * \\/decode * * \\-decodehex * * \\/decodehex * * \\-urlcache * * \\/urlcache * * \\-verifyctl * * \\/verifyctl * * \\-encode * * \\/encode * *certutil* \\-URL* *certutil* \\/URL* *certutil* \\-ping* *certutil* \\/ping*)
splunk
(CommandLine="* -decode *" OR CommandLine="* /decode *" OR CommandLine="* -decodehex *" OR CommandLine="* /decodehex *" OR CommandLine="* -urlcache *" OR CommandLine="* /urlcache *" OR CommandLine="* -verifyctl *" OR CommandLine="* /verifyctl *" OR CommandLine="* -encode *" OR CommandLine="* /encode *" OR CommandLine="*certutil* -URL*" OR CommandLine="*certutil* /URL*" OR CommandLine="*certutil* -ping*" OR CommandLine="*certutil* /ping*") | table CommandLine,ParentCommandLine
logpoint
CommandLine IN ["* -decode *", "* /decode *", "* -decodehex *", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -encode *", "* /encode *", "*certutil* -URL*", "*certutil* /URL*", "*certutil* -ping*", "*certutil* /ping*"]
grep
grep -P '^(?:.*.* -decode .*|.*.* /decode .*|.*.* -decodehex .*|.*.* /decodehex .*|.*.* -urlcache .*|.*.* /urlcache .*|.*.* -verifyctl .*|.*.* /verifyctl .*|.*.* -encode .*|.*.* /encode .*|.*.*certutil.* -URL.*|.*.*certutil.* /URL.*|.*.*certutil.* -ping.*|.*.*certutil.* /ping.*)'