title: HackTool - Certify Execution
id: 762f2482-ff21-4970-8939-0aa317a886bb
status: test
description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
references:
- https://github.com/GhostPack/Certify
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2023-04-25
tags:
- attack.discovery
- attack.credential-access
- attack.t1649
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Certify.exe'
- OriginalFileName: 'Certify.exe'
- Description|contains: 'Certify'
selection_cli_commands:
CommandLine|contains:
- '.exe cas '
- '.exe find '
- '.exe pkiobjects '
- '.exe request '
- '.exe download '
selection_cli_options:
CommandLine|contains:
- ' /vulnerable'
- ' /template:'
- ' /altname:'
- ' /domain:'
- ' /path:'
- ' /ca:'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unknown
level: high
title: HackTool - Certipy Execution
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: test
description: |
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
references:
- https://github.com/ly4k/Certipy
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
date: 2023-04-17
modified: 2024-10-08
tags:
- attack.discovery
- attack.credential-access
- attack.t1649
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Certipy.exe'
- OriginalFileName: 'Certipy.exe'
- Description|contains: 'Certipy'
selection_cli_commands:
CommandLine|contains:
- ' account '
- ' auth '
# - ' ca ' # Too short to be used with just one CLI
- ' cert '
- ' find '
- ' forge '
- ' ptt '
- ' relay '
- ' req '
- ' shadow '
- ' template '
selection_cli_flags:
CommandLine|contains:
- ' -bloodhound'
- ' -ca-pfx '
- ' -dc-ip '
- ' -kirbi'
- ' -old-bloodhound'
- ' -pfx '
- ' -target'
- ' -template'
- ' -username '
- ' -vulnerable'
- 'auth -pfx'
- 'shadow auto'
- 'shadow list'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unlikely
level: high
title: Certificate Exported From Local Certificate Store
id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
status: test
description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
references:
- https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
- attack.credential-access
- attack.t1649
logsource:
product: windows
service: certificateservicesclient-lifecycle-system
detection:
selection:
EventID: 1007 # A certificate has been exported
condition: selection
falsepositives:
- Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium
title: Certificate Private Key Acquired
id: e2b5163d-7deb-4566-9af3-40afea6858c3
status: test
description: Detects when an application acquires a certificate private key
references:
- https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
- attack.credential-access
- attack.t1649
logsource:
product: windows
service: capi2
definition: 'Requirements: The CAPI2 Operational log needs to be enabled'
detection:
selection:
EventID: 70 # Acquire Certificate Private Key
condition: selection
falsepositives:
- Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium