Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ingress Tool Transfer - Certutil

Back
Idf0be11a9-ec48-4df6-801d-479556044d4e
RulenameIngress Tool Transfer - Certutil
DescriptionThis detection addresses most of the known ways to utilize this binary for malicious/unintended purposes.

It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.
SeverityLow
TacticsCommandAndControl
DefenseEvasion
TechniquesT1105
T1564.004
T1027
T1140
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
Version1.0.0
Arm templatef0be11a9-ec48-4df6-801d-479556044d4e.json
Deploy To Azure
// Set the time span for the query.
let Timeframe = 1h;
// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
let HashTimeframe = 14d;
// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
DeviceProcessEvents
| where Timestamp >= ago(Timeframe)
// Get all executions by processes with a SHA1 hash that is or was named certutil.
| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
// removing any potential command line obfuscation. 
| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
// Search for de-obfuscated commands used. 
// Urlcache is the documented attribute. However, url is also accepted.
// Verifyctl is the documented attribute. However, verify is also accepted.
| where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
| order by Timestamp
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1105
- T1564.004
- T1027
- T1140
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 14d
tactics:
- CommandAndControl
- DefenseEvasion
severity: Low
triggerOperator: gt
description: |
  This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. 
  It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.  
query: |
  // Set the time span for the query.
  let Timeframe = 1h;
  // Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
  let HashTimeframe = 14d;
  // Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
  let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  DeviceProcessEvents
  | where Timestamp >= ago(Timeframe)
  // Get all executions by processes with a SHA1 hash that is or was named certutil.
  | where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
  // Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
  // removing any potential command line obfuscation. 
  | extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
  // Search for de-obfuscated commands used. 
  // Urlcache is the documented attribute. However, url is also accepted.
  // Verifyctl is the documented attribute. However, verify is also accepted.
  | where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
  | order by Timestamp  
name: Ingress Tool Transfer - Certutil
version: 1.0.0
id: f0be11a9-ec48-4df6-801d-479556044d4e
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "properties": {
        "alertRuleTemplateName": "f0be11a9-ec48-4df6-801d-479556044d4e",
        "customDetails": null,
        "description": "This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. \nIt attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.\n",
        "displayName": "Ingress Tool Transfer - Certutil",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml",
        "query": "// Set the time span for the query.\nlet Timeframe = 1h;\n// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.\nlet HashTimeframe = 14d;\n// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.\nlet CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nlet CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains \"certutil\" or FileName contains \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nDeviceProcessEvents\n| where Timestamp >= ago(Timeframe)\n// Get all executions by processes with a SHA1 hash that is or was named certutil.\n| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ \"certutil.exe\" or ProcessCommandLine has \"certutil\"\n// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, \n// removing any potential command line obfuscation. \n| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, \"windows\")\n// Search for de-obfuscated commands used. \n// Urlcache is the documented attribute. However, url is also accepted.\n// Verifyctl is the documented attribute. However, verify is also accepted.\n| where CleanProcessCommandLine has_any (\"decode\", \"encode\", \"verify\",\"url\") \n| order by Timestamp\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1027",
          "T1105",
          "T1140",
          "T1564"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}