From ab6d42ddcf44c24cc55d4ff16ced0d01ee8ffd23 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:10:19 +0300 Subject: [PATCH 1/6] added command to certutil --- certutil.yml.txt | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 certutil.yml.txt diff --git a/certutil.yml.txt b/certutil.yml.txt new file mode 100644 index 0000000..b1aa789 --- /dev/null +++ b/certutil.yml.txt @@ -0,0 +1,76 @@ +--- +Name: Certutil.exe +Description: Windows binary used for handeling certificates +Author: 'Oddvar Moe' +Created: '2018-05-25' +Commands: + - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/techniques/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + MitreLink: https://attack.mitre.org/wiki/Technique/T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\certutil.exe + - Path: C:\Windows\SysWOW64\certutil.exe +Code_Sample: + - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) +Detection: + - IOC: Certutil.exe creating new files on disk + - IOC: Useragent Microsoft-CryptoAPI/10.0 + - IOC: Useragent CertUtil URL Agent +Resources: + - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 + - Link: https://twitter.com/mattifestation/status/620107926288515072 + - Link: https://twitter.com/egre55/status/1087685529016193025 +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Moriarty + Handle: '@Moriarty_Meng' + - Person: egre55 + Handle: '@egre55' + - Person: Lior Adar +--- \ No newline at end of file From 9b60a844a2e55b797c03cd9af28dc65fb1140cae Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Sun, 25 Oct 2020 09:03:39 +0200 Subject: [PATCH 2/6] Rename certutil.yml.txt to certutil.yml changed --- certutil.yml.txt => certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename certutil.yml.txt => certutil.yml (97%) diff --git a/certutil.yml.txt b/certutil.yml similarity index 97% rename from certutil.yml.txt rename to certutil.yml index b1aa789..46408ae 100644 --- a/certutil.yml.txt +++ b/certutil.yml @@ -73,4 +73,4 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar ---- \ No newline at end of file +--- From 2166960d4edcfdc3b8b9189fab1559f1f6bd6463 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:22:58 +0200 Subject: [PATCH 3/6] changed path --- certutil.yml => yml/OSBinaries/certutil.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename certutil.yml => yml/OSBinaries/certutil.yml (100%) diff --git a/certutil.yml b/yml/OSBinaries/certutil.yml similarity index 100% rename from certutil.yml rename to yml/OSBinaries/certutil.yml From 76d79ea4791709f52b1348e25c174571a4bd63c8 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:57:42 +0200 Subject: [PATCH 4/6] Update Certutil --- yml/OSBinaries/Certutil.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index db1e9a8..83afab2 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -44,11 +44,19 @@ Commands: MitreID: T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code: + - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) Detection: - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0 @@ -64,4 +72,5 @@ Acknowledgement: Handle: '@Moriarty_Meng' - Person: egre55 Handle: '@egre55' + - Person: Lior Adar --- From 64d5dffc4b337424d1c10bbce7c1d327253a508e Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:59:00 +0200 Subject: [PATCH 5/6] Delete certutil.yml --- yml/OSBinaries/certutil.yml | 76 ------------------------------------- 1 file changed, 76 deletions(-) delete mode 100644 yml/OSBinaries/certutil.yml diff --git a/yml/OSBinaries/certutil.yml b/yml/OSBinaries/certutil.yml deleted file mode 100644 index 46408ae..0000000 --- a/yml/OSBinaries/certutil.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -Name: Certutil.exe -Description: Windows binary used for handeling certificates -Author: 'Oddvar Moe' -Created: '2018-05-25' -Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - MitreLink: https://attack.mitre.org/wiki/Technique/T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - MitreLink: https://attack.mitre.org/wiki/Technique/T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Description: Download and save a PS1 file to an Alternate Data Stream (ADS). - Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream - Category: ADS - Privileges: User - MitreID: T1096 - MitreLink: https://attack.mitre.org/techniques/T1096 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -encode inputFileName encodedOutputFileName - Description: Command to encode a file using Base64 - Usecase: Encode files to evade defensive measures - Category: Encode - Privileges: User - MitreID: T1027 - MitreLink: https://attack.mitre.org/wiki/Technique/T1027 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -decode encodedInputFileName decodedOutputFileName - Description: Command to decode a Base64 encoded file. - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - MitreLink: https://attack.mitre.org/wiki/Technique/T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil --decodehex encoded_hexadecimal_InputFileName - Description: Command to decode a hexadecimal-encoded file decodedOutputFileName - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - MitreLink: https://attack.mitre.org/wiki/Technique/T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\System32\certutil.exe - - Path: C:\Windows\SysWOW64\certutil.exe -Code_Sample: - - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) -Detection: - - IOC: Certutil.exe creating new files on disk - - IOC: Useragent Microsoft-CryptoAPI/10.0 - - IOC: Useragent CertUtil URL Agent -Resources: - - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - - Link: https://twitter.com/mattifestation/status/620107926288515072 - - Link: https://twitter.com/egre55/status/1087685529016193025 -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Moriarty - Handle: '@Moriarty_Meng' - - Person: egre55 - Handle: '@egre55' - - Person: Lior Adar ---- From 5806d33e7066cd1e73b32baee75d5fc5e1ee30ea Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Mon, 26 Oct 2020 19:43:55 -0400 Subject: [PATCH 6/6] Update Certutil.yml --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 83afab2..c58c55d 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -56,7 +56,7 @@ Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) + - Code: Detection: - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0