CAR-2021-05-008: Certutil exe certificate extraction
This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Forge Web Credentials | SAML Tokens | Credential Access | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
Pseudocode – CertUtil certificate extraction (Pseudocode, CAR native)
Pseudocode implementation of the Splunk search below
processes = search Process:Create
certutil_downloads = filter processes where (
exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
output certutil_downloads
Splunk code (Splunk, Endpoint)
Splunk implementation
| tstats count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name Processes.process Processes.user
Unit Tests
Test Case 1
Configurations: Using Splunk Attack Range
Replay the detection dataset using the Splunk attack range with the commands below
python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
Test Case 2
Configurations: Using Invoke-AtomicRedTeam
Execute the atomic test T1606.002 against a Windows target.
Invoke-AtomicTest T1606.002