Update CAR-2021-05-008.yml

added pseudocode

analytics/CAR-2021-05-008.yml

@@ -19,7 +19,17 @@ coverage:
   - TA0006
   coverage: Moderate
 implementations:
-- description: ''
+-	name: Pseudocode – CertUtil certificate extraction
+  description: Pseudocode implementation of the Splunk search below
+  code: |- 
+      processes = search Process:Create
+      certutil_downloads = filter processes where (
+        exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
+      output certutil_downloads
+  data_model: CAR native
+  type: Pseudocode
+- name: Splunk code
+  description: Splunk implementation 
   code: '| tstats count min(_time) as firstTime values(Processes.process) as process
     max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe
     Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name