From 1793453656bb36a9fbc2f7399514c42ed68ea334 Mon Sep 17 00:00:00 2001
From: pcmcpherson <74933047+pcmcpherson@users.noreply.github.com>
Date: Wed, 26 May 2021 15:37:41 -0600
Subject: [PATCH] Update CAR-2021-05-008.yml

added pseudocode
---
 analytics/CAR-2021-05-008.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/analytics/CAR-2021-05-008.yml b/analytics/CAR-2021-05-008.yml
index 9a056253..ac5bd8d2 100644
--- a/analytics/CAR-2021-05-008.yml
+++ b/analytics/CAR-2021-05-008.yml
@@ -19,7 +19,17 @@ coverage:
   - TA0006
   coverage: Moderate
 implementations:
-- description: ''
+-	name: Pseudocode – CertUtil certificate extraction
+  description: Pseudocode implementation of the Splunk search below
+  code: |- 
+      processes = search Process:Create
+      certutil_downloads = filter processes where (
+        exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
+      output certutil_downloads
+  data_model: CAR native
+  type: Pseudocode
+- name: Splunk code
+  description: Splunk implementation 
   code: '| tstats count min(_time) as firstTime values(Processes.process) as process
     max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe
     Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name