Ingress Tool Transfer - Certutil

Back


Id	f0be11a9-ec48-4df6-801d-479556044d4e
Rulename	Ingress Tool Transfer - Certutil
Description	This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.
Severity	Low
Tactics	CommandAndControl DefenseEvasion
Techniques	T1105 T1564.004 T1027 T1140
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
Version	1.0.0
Arm template	f0be11a9-ec48-4df6-801d-479556044d4e.json

KQL

// Set the time span for the query.
let Timeframe = 1h;
// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
let HashTimeframe = 14d;
// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
DeviceProcessEvents
| where Timestamp >= ago(Timeframe)
// Get all executions by processes with a SHA1 hash that is or was named certutil.
| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
// removing any potential command line obfuscation. 
| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
// Search for de-obfuscated commands used. 
// Urlcache is the documented attribute. However, url is also accepted.
// Verifyctl is the documented attribute. However, verify is also accepted.
| where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
| order by Timestamp

YAML

relevantTechniques:
- T1105
- T1564.004
- T1027
- T1140
name: Ingress Tool Transfer - Certutil
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
triggerThreshold: 0
id: f0be11a9-ec48-4df6-801d-479556044d4e
tactics:
- CommandAndControl
- DefenseEvasion
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 1h
severity: Low
status: Available
description: |
  This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. 
  It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.  
query: |
  // Set the time span for the query.
  let Timeframe = 1h;
  // Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
  let HashTimeframe = 14d;
  // Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
  let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  DeviceProcessEvents
  | where Timestamp >= ago(Timeframe)
  // Get all executions by processes with a SHA1 hash that is or was named certutil.
  | where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
  // Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
  // removing any potential command line obfuscation. 
  | extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
  // Search for de-obfuscated commands used. 
  // Urlcache is the documented attribute. However, url is also accepted.
  // Verifyctl is the documented attribute. However, verify is also accepted.
  | where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
  | order by Timestamp  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "properties": {
        "alertRuleTemplateName": "f0be11a9-ec48-4df6-801d-479556044d4e",
        "customDetails": null,
        "description": "This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. \nIt attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.\n",
        "displayName": "Ingress Tool Transfer - Certutil",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml",
        "query": "// Set the time span for the query.\nlet Timeframe = 1h;\n// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.\nlet HashTimeframe = 14d;\n// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.\nlet CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nlet CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains \"certutil\" or FileName contains \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nDeviceProcessEvents\n| where Timestamp >= ago(Timeframe)\n// Get all executions by processes with a SHA1 hash that is or was named certutil.\n| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ \"certutil.exe\" or ProcessCommandLine has \"certutil\"\n// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, \n// removing any potential command line obfuscation. \n| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, \"windows\")\n// Search for de-obfuscated commands used. \n// Urlcache is the documented attribute. However, url is also accepted.\n// Verifyctl is the documented attribute. However, verify is also accepted.\n| where CleanProcessCommandLine has_any (\"decode\", \"encode\", \"verify\",\"url\") \n| order by Timestamp\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [
          "T1564.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1027",
          "T1105",
          "T1140",
          "T1564"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}