FalconFriday — Detecting suspicious code compilation and Certutil — 0xFF02

Olaf Hartong
Sep 11, 2020 · 4 min read

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is highly-likely flagged by existing security controls. To work around this, attackers take a different approach; uploading their code and compile the code directly on the target machine.

This query is aimed at detecting process executions, specifically those associated with compilation software.

Several tools exist for this purpose. An example of this is a tool created by Cn33liz called MSBuildShell. This tool provides a PowerShell-like shell from MSBuild.exe, allowing you to do everything as if it was a normal PowerShell session; yet bypassing controls like application whitelisting and process restrictions.

Using these techniques to remain undetected is not new, in fact it has been around for a very long time. Still it remains a very effective technique, largely because this behaviour is not detected by default use cases in a lot of security solutions. Luckily for you, this FalconFriday brings you some ideas how you can catch this behaviour!

A few considerations:

You can find the query here on GitHub, we tagged it as T1127-WIN-001.md.

Like to read more about this ?

Certificate services: Certutil

Some pre-installed system tools are regularly used in initial compromise payloads or post-compromise activities, such as spreading malware. Philip Goh affectionally named trusted tools like this ‘living of the land’ binaries (LOLbins). Just for the record, there’s three types of LOL techniques:

There’s also a repo available called ‘Living Off The Land Binaries and Scripts’ (LOLBAS), centralising over 100 binaries to use. This repo is maintained by several individuals. The most popular LOLbin according to stats by Oddvar Moe, and one of the more versatile ones, is Certutil.

This query is aimed at detecting malicious use of Certutil.

According to Microsoft ‘Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains’.

This LOLBin can be used to execute the following techniques:

Now how can we detect malicious behaviour— given most of time it consists of legitimate activity:

A few considerations:

Usage in production

The lookup created to address ‘file renames’ might have some additional load on large environments. We have not experienced any significant impact during our tests. You might want to trim the timeframe in case this is impacting to your setup.

You can find the query here on GitHub, we tagged it as T1105-WIN-001.md.

Like to read more about this ?

Disclaimers

The FalconForce Medium page with the bi-weekly articles can be found HERE.

FalconForce

A team of highly specialized security professionals