-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2021-05-009.yml
58 lines (58 loc) · 2.67 KB
/
CAR-2021-05-009.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
title: CertUtil With Decode Argument
submission_date: 2021/05/11
information_domain: Analytic
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Splunk Threat Research <[email protected]>
id: CAR-2021-05-009
description: CertUtil.exe may be used to `encode` and `decode` a file, including PE
and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----`
and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded
file that was downloaded. Once decoded, it will be loaded by a parallel process.
Note that there are two additional command switches that may be used - `encodehex`
and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for
further execution. During triage, identify the source of the file being decoded.
Review its contents or execution behavior for further analysis.
coverage:
- technique: T1140
tactics:
- TA0005
coverage: Moderate
implementations:
- name: Pseudocode – CertUtil with Decode Argument
description: Pseudocode implementation of the Splunk search below
code: |-
processes = search Process:Create
certutil_downloads = filter processes where (
exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* )
output certutil_downloads
data_model: CAR native
type: Pseudocode
- name: Splunk code
- description: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node.
code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest
Processes.user Processes.parent_process Processes.process_name Processes.process
Processes.process_id Processes.parent_process_id'
type: Splunk
data_model: Endpoint
unit_tests:
- configurations:
- Using Splunk [Attack Range](https://github.com/splunk/attack_range)
description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log) using
the Splunk attack range with the commands below
commands:
- python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- configurations:
- Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
description: execute the atomic test [T1140](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1140)
against a Windows target.
commands:
- Invoke-AtomicTest T1140