From 4a11ef9514938e7a7e32cf5f379e975cebf5aed3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 21 Jul 2021 01:26:36 -0500 Subject: [PATCH] [Rule Tuning] Suspicious CertUtil Commands (#1180) * update name to Suspicious CertUtil Commands * update description, query, and filename --- ..._evasion_suspicious_certutil_commands.toml} | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) rename rules/windows/{defense_evasion_encoding_or_decoding_files_via_certutil.toml => defense_evasion_suspicious_certutil_commands.toml} (54%) diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml similarity index 54% rename from rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml rename to rules/windows/defense_evasion_suspicious_certutil_commands.toml index 6e92cc482..a9c29f458 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,20 +1,26 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/06" [rule] author = ["Elastic"] description = """ -Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of -Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and -control or exfiltration. +Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of +Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or +data exfiltration. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Encoding or Decoding Files via CertUtil" +name = "Suspicious CertUtil Commands" +references = [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", + "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", +] risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" @@ -25,7 +31,7 @@ type = "eql" query = ''' process where event.type == "start" and (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and - process.args : ("?decode", "?encode") + process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex") '''