-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2021-05-007.yaml
64 lines (64 loc) · 2.88 KB
/
CAR-2021-05-007.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
title: CertUtil Download With VerifyCtl and Split Arguments
submission_date: 2021/05/11
information_domain: Analytic
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Splunk Threat Research <[email protected]>
id: CAR-2021-05-007
description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`.
This behavior does require a URL to be passed on the command-line. In addition,
`-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will
be used. It is not entirely common for `certutil.exe` to contact public IP space.
\ During triage, capture any files on disk and review. Review the reputation of
the remote IP or domain in question. Using `-VerifyCtl`, the file will either be
written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>`. '
coverage:
- technique: T1105
tactics:
- TA0011
coverage: Moderate
implementations:
- name: Pseudocode – CertUtil download with VerifyCtl
description: Pseudocode implementation of the Splunk search below
code: |-
processes = search Process:Create
certutil_downloads = filter processes where (
exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*)
output certutil_downloads
data_model: CAR native
type: Pseudocode
- name: Splunk code
description: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node.
code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split*
by Processes.dest Processes.user Processes.parent_process Processes.process_name
Processes.process Processes.process_id Processes.parent_process_id'
type: Splunk
data_model: Endpoint
unit_tests:
- configurations:
- Using Splunk [Attack Range](https://github.com/splunk/attack_range)
description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log) using
the Splunk attack range with the commands below
commands:
- python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- configurations:
- Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105)
against a Windows target.
commands:
- Invoke-AtomicTest T1105
data_model_references:
- process/create/exe
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis