{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Suspicious Certutil Command\n", "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Rule Content\n", "```\n", "- title: Suspicious Certutil Command\n", " id: e011a729-98a6-4139-b5c4-bf6f6dd8239a\n", " status: experimental\n", " description: Detects a suspicious Microsoft certutil execution with sub commands\n", " like 'decode' sub command, which is sometimes used to decode malicious code with\n", " the built-in certutil utility\n", " author: Florian Roth, juju4, keepwatch\n", " modified: 2019/01/22\n", " references:\n", " - https://twitter.com/JohnLaTwC/status/835149808817991680\n", " - https://twitter.com/subTee/status/888102593838362624\n", " - https://twitter.com/subTee/status/888071631528235010\n", " - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n", " - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n", " - https://twitter.com/egre55/status/1087685529016193025\n", " - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n", " logsource:\n", " category: process_creation\n", " product: windows\n", " service: null\n", " detection:\n", " selection:\n", " CommandLine:\n", " - '* -decode *'\n", " - '* /decode *'\n", " - '* -decodehex *'\n", " - '* /decodehex *'\n", " - '* -urlcache *'\n", " - '* /urlcache *'\n", " - '* -verifyctl *'\n", " - '* /verifyctl *'\n", " - '* -encode *'\n", " - '* /encode *'\n", " - '*certutil* -URL*'\n", " - '*certutil* /URL*'\n", " - '*certutil* -ping*'\n", " - '*certutil* /ping*'\n", " condition: selection\n", " fields:\n", " - CommandLine\n", " - ParentCommandLine\n", " tags:\n", " - attack.defense_evasion\n", " - attack.t1140\n", " - attack.t1105\n", " - attack.s0189\n", " - attack.g0007\n", " falsepositives:\n", " - False positives depend on scripts and administrative tools used in the monitored\n", " environment\n", " level: high\n", "\n", "```" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Querying Elasticsearch" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import Libraries" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from elasticsearch import Elasticsearch\n", "from elasticsearch_dsl import Search\n", "import pandas as pd" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Initialize Elasticsearch client" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n", "searchContext = Search(using=es, index='logs-*', doc_type='doc')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Run Elasticsearch Query" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "s = searchContext.query('query_string', query='process_command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)')\n", "response = s.execute()\n", "if response.success():\n", " df = pd.DataFrame((d.to_dict() for d in s.scan()))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Show Results" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "df.head()" ] } ], "metadata": {}, "nbformat": 4, "nbformat_minor": 4 }