mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
8.8 KiB
8.8 KiB
| Title | Suspicious Certutil Command |
|---|---|
| Description | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References |
|
| Author | Florian Roth, juju4, keepwatch |
| Other Tags |
|
Detection Rules
Sigma rule
title: Suspicious Certutil Command
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
modified: 2019/01/22
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
- https://twitter.com/subTee/status/888071631528235010
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -decode *'
- '* /decode *'
- '* -decodehex *'
- '* /decodehex *'
- '* -urlcache *'
- '* /urlcache *'
- '* -verifyctl *'
- '* /verifyctl *'
- '* -encode *'
- '* /encode *'
- '*certutil* -URL*'
- '*certutil* /URL*'
- '*certutil* -ping*'
- '*certutil* /ping*'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1105
- attack.s0189
- attack.g0007
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
es-qs
CommandLine.keyword:(*\\ \\-decode\\ * *\\ \\/decode\\ * *\\ \\-decodehex\\ * *\\ \\/decodehex\\ * *\\ \\-urlcache\\ * *\\ \\/urlcache\\ * *\\ \\-verifyctl\\ * *\\ \\/verifyctl\\ * *\\ \\-encode\\ * *\\ \\/encode\\ * *certutil*\\ \\-URL* *certutil*\\ \\/URL* *certutil*\\ \\-ping* *certutil*\\ \\/ping*)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Certutil-Command <<EOF\n{\n "metadata": {\n "title": "Suspicious Certutil Command",\n "description": "Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility",\n "tags": [\n "attack.defense_evasion",\n "attack.t1140",\n "attack.t1105",\n "attack.s0189",\n "attack.g0007"\n ]\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "CommandLine.keyword:(*\\\\ \\\\-decode\\\\ * *\\\\ \\\\/decode\\\\ * *\\\\ \\\\-decodehex\\\\ * *\\\\ \\\\/decodehex\\\\ * *\\\\ \\\\-urlcache\\\\ * *\\\\ \\\\/urlcache\\\\ * *\\\\ \\\\-verifyctl\\\\ * *\\\\ \\\\/verifyctl\\\\ * *\\\\ \\\\-encode\\\\ * *\\\\ \\\\/encode\\\\ * *certutil*\\\\ \\\\-URL* *certutil*\\\\ \\\\/URL* *certutil*\\\\ \\\\-ping* *certutil*\\\\ \\\\/ping*)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Suspicious Certutil Command\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
CommandLine:("* \\-decode *" "* \\/decode *" "* \\-decodehex *" "* \\/decodehex *" "* \\-urlcache *" "* \\/urlcache *" "* \\-verifyctl *" "* \\/verifyctl *" "* \\-encode *" "* \\/encode *" "*certutil* \\-URL*" "*certutil* \\/URL*" "*certutil* \\-ping*" "*certutil* \\/ping*")
splunk
(CommandLine="* -decode *" OR CommandLine="* /decode *" OR CommandLine="* -decodehex *" OR CommandLine="* /decodehex *" OR CommandLine="* -urlcache *" OR CommandLine="* /urlcache *" OR CommandLine="* -verifyctl *" OR CommandLine="* /verifyctl *" OR CommandLine="* -encode *" OR CommandLine="* /encode *" OR CommandLine="*certutil* -URL*" OR CommandLine="*certutil* /URL*" OR CommandLine="*certutil* -ping*" OR CommandLine="*certutil* /ping*") | table CommandLine,ParentCommandLine
logpoint
CommandLine IN ["* -decode *", "* /decode *", "* -decodehex *", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -encode *", "* /encode *", "*certutil* -URL*", "*certutil* /URL*", "*certutil* -ping*", "*certutil* /ping*"]
grep
grep -P '^(?:.*.* -decode .*|.*.* /decode .*|.*.* -decodehex .*|.*.* /decodehex .*|.*.* -urlcache .*|.*.* /urlcache .*|.*.* -verifyctl .*|.*.* /verifyctl .*|.*.* -encode .*|.*.* /encode .*|.*.*certutil.* -URL.*|.*.*certutil.* /URL.*|.*.*certutil.* -ping.*|.*.*certutil.* /ping.*)'