Ingress Tool Transfer - Certutil

Back


Id	f0be11a9-ec48-4df6-801d-479556044d4e
Rulename	Ingress Tool Transfer - Certutil
Description	This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.
Severity	Low
Tactics	CommandAndControl DefenseEvasion
Techniques	T1105 T1564.004 T1027 T1140
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
Version	1.0.0
Arm template	f0be11a9-ec48-4df6-801d-479556044d4e.json

KQL

// Set the time span for the query.
let Timeframe = 1h;
// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
let HashTimeframe = 14d;
// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
DeviceProcessEvents
| where Timestamp >= ago(Timeframe)
// Get all executions by processes with a SHA1 hash that is or was named certutil.
| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
// removing any potential command line obfuscation. 
| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
// Search for de-obfuscated commands used. 
// Urlcache is the documented attribute. However, url is also accepted.
// Verifyctl is the documented attribute. However, verify is also accepted.
| where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
| order by Timestamp

YAML

entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
tactics:
- CommandAndControl
- DefenseEvasion
triggerOperator: gt
description: |
  This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. 
  It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.  
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
relevantTechniques:
- T1105
- T1564.004
- T1027
- T1140
version: 1.0.0
id: f0be11a9-ec48-4df6-801d-479556044d4e
kind: Scheduled
query: |
  // Set the time span for the query.
  let Timeframe = 1h;
  // Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.
  let HashTimeframe = 14d;
  // Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.
  let CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  let CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));
  DeviceProcessEvents
  | where Timestamp >= ago(Timeframe)
  // Get all executions by processes with a SHA1 hash that is or was named certutil.
  | where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ "certutil.exe" or ProcessCommandLine has "certutil"
  // Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, 
  // removing any potential command line obfuscation. 
  | extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, "windows")
  // Search for de-obfuscated commands used. 
  // Urlcache is the documented attribute. However, url is also accepted.
  // Verifyctl is the documented attribute. However, verify is also accepted.
  | where CleanProcessCommandLine has_any ("decode", "encode", "verify","url") 
  | order by Timestamp  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml
queryFrequency: 1h
severity: Low
name: Ingress Tool Transfer - Certutil
queryPeriod: 14d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f0be11a9-ec48-4df6-801d-479556044d4e')]",
      "properties": {
        "alertRuleTemplateName": "f0be11a9-ec48-4df6-801d-479556044d4e",
        "customDetails": null,
        "description": "This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. \nIt attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming.\n",
        "displayName": "Ingress Tool Transfer - Certutil",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertutilIngressToolTransfer.yaml",
        "query": "// Set the time span for the query.\nlet Timeframe = 1h;\n// Set the HashTimeframe for the hash lookup; longer makes it more accurate, but obviously also more resource-intensive.\nlet HashTimeframe = 14d;\n// Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil.\nlet CertUtilPESha1=materialize(DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName has \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nlet CertUtilFESha1=materialize(DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains \"certutil\" or FileName contains \"certutil\"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1));\nDeviceProcessEvents\n| where Timestamp >= ago(Timeframe)\n// Get all executions by processes with a SHA1 hash that is or was named certutil.\n| where SHA1 in (CertUtilPESha1) or SHA1 in (CertUtilFESha1) or FileName =~ \"certutil.exe\" or ProcessCommandLine has \"certutil\"\n// Create a new field called CleanProcessCommandLine which gets populated with the value of ProcessCommandLine as Windows parses it for execution, \n// removing any potential command line obfuscation. \n| extend CleanProcessCommandLine=parse_command_line(ProcessCommandLine, \"windows\")\n// Search for de-obfuscated commands used. \n// Urlcache is the documented attribute. However, url is also accepted.\n// Verifyctl is the documented attribute. However, verify is also accepted.\n| where CleanProcessCommandLine has_any (\"decode\", \"encode\", \"verify\",\"url\") \n| order by Timestamp\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [
          "T1564.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion"
        ],
        "techniques": [
          "T1027",
          "T1105",
          "T1140",
          "T1564"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}