FalconFriday — Detecting suspicious code compilation and Certutil — 0xFF02

Olaf Hartong
Sep 11 · 4 min read

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Image for post
Image for post

Today’s content:

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is highly-likely flagged by existing security controls. To work around this, attackers take a different approach; uploading their code and compile the code directly on the target machine.

This query is aimed at detecting process executions, specifically those associated with compilation software.

Several tools exist for this purpose. An example of this is a tool created by Cn33liz called MSBuildShell. This tool provides a PowerShell-like shell from MSBuild.exe, allowing you to do everything as if it was a normal PowerShell session; yet bypassing controls like application whitelisting and process restrictions.

Using these techniques to remain undetected is not new, in fact it has been around for a very long time. Still it remains a very effective technique, largely because this behaviour is not detected by default use cases in a lot of security solutions. Luckily for you, this FalconFriday brings you some ideas how you can catch this behaviour!

A few considerations:

You can find the query here on GitHub, we tagged it as T1127-WIN-001.md.

Like to read more about this ?

Certificate services: Certutil

Some pre-installed system tools are regularly used in initial compromise payloads or post-compromise activities, such as spreading malware. Philip Goh affectionally named trusted tools like this ‘living of the land’ binaries (LOLbins). Just for the record, there’s three types of LOL techniques:

There’s also a repo available called ‘Living Off The Land Binaries and Scripts’ (LOLBAS), centralising over 100 binaries to use. This repo is maintained by several individuals. The most popular LOLbin according to stats by Oddvar Moe, and one of the more versatile ones, is Certutil.

This query is aimed at detecting malicious use of Certutil.

According to Microsoft ‘Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains’.

This LOLBin can be used to execute the following techniques:

Now how can we detect malicious behaviour— given most of time it consists of legitimate activity:

A few considerations:

Usage in production

The lookup created to address ‘file renames’ might have some additional load on large environments. We have not experienced any significant impact during our tests. You might want to trim the timeframe in case this is impacting to your setup.

You can find the query here on GitHub, we tagged it as T1105-WIN-001.md.

Like to read more about this ?

Disclaimers

The FalconForce Medium page with the bi-weekly articles can be found HERE.

FalconForce

A team of highly specialized security professionals

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store