HackTool - Certipy Execution

    Wednesday, October 9, 2024 In: Threat Research Print

    Date: 10/09/2024

    Severity: High

    Summary

    Identifies Certipy execution, a tool used for enumerating and exploiting Active Directory Certificate Services by analyzing PE metadata characteristics and typical command line parameters.

    Indicators of Compromise (IOC) List

    Image

    '\Certipy.exe'

    OriginalFileName

    'Certipy.exe'

    Description

    'Certipy'

    CommandLine

    ' account '

    ' auth '

    # - ' ca ' # Too short to be used with just one CLI

    ' cert '

    ' find '

    ' forge '

    ' ptt '

    ' relay '

    ' req '

    ' shadow '

    ' template '

    ' -bloodhound'

    ' -ca-pfx '

    ' -dc-ip '

    ' -kirbi'

    ' -old-bloodhound'

    ' -pfx '

    ' -target'

    ' -template'

    ' -username '

    ' -vulnerable'

    'auth -pfx'

    'shadow auto'

    'shadow list'  

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    ((resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname = "\Certipy.exe"  ) AND winmessage In ("Certipy.exe","Certipy","account","auth","cert","find","forge","ptt","relay","req","shadow","template","-bloodhound","-ca-pfx","-dc-ip","-kirbi","-old-bloodhound","-pfx","-target","-template","-username","-vulnerable","auth -pfx","shadow auto","shadow list")

    Detection Query 2 :

    ((technologygroup = "EDR" ) AND newprocessname = "\Certipy.exe"  ) AND winmessage In ("Certipy.exe","Certipy","account","auth","cert","find","forge","ptt","relay","req","shadow","template","-bloodhound","-ca-pfx","-dc-ip","-kirbi","-old-bloodhound","-pfx","-target","-template","-username","-vulnerable","auth -pfx","shadow auto","shadow list")

    Detection Query 3 :

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND image = "\Certipy.exe" AND originalfilename = "Certipy.exe" AND description like "Certipy"  AND commandline In ("account","auth","cert","find","forge","ptt","relay","req","shadow","template","-bloodhound","-ca-pfx","-dc-ip","-kirbi","-old-bloodhound","-pfx","-target","-template","-username","-vulnerable","auth -pfx","shadow auto","shadow list")

    Detection Query 4 :

    technologygroup = "EDR" AND image = "\Certipy.exe" AND originalfilename = "Certipy.exe" AND description like "Certipy"  AND commandline In ("account","auth","cert","find","forge","ptt","relay","req","shadow","template","-bloodhound","-ca-pfx","-dc-ip","-kirbi","-old-bloodhound","-pfx","-target","-template","-username","-vulnerable","auth -pfx","shadow auto","shadow list")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.