FalconFriday — Detecting suspicious code compilation and Certutil

FalconFriday — Detecting suspicious code compilation and Certutil — 0xFF02

September 11, 2020

Olaf Hartong

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

Detecting suspicious code compilation.
Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is highly-likely flagged by existing security controls. To work around this, attackers take a different approach; uploading their code and compile the code directly on the target machine.

This query is aimed at detecting process executions, specifically those associated with compilation software.

Several tools exist for this purpose. An example of this is a tool created by Cn33liz called MSBuildShell. This tool provides a PowerShell-like shell from MSBuild.exe, allowing you to do everything as if it was a normal PowerShell session; yet bypassing controls like application whitelisting and process restrictions.

Using these techniques to remain undetected is not new, in fact it has been around for a very long time. Still it remains a very effective technique, largely because this behaviour is not detected by default use cases in a lot of security solutions. Luckily for you, this FalconFriday brings you some ideas how you can catch this behaviour!

A few considerations:

You want to look at process executions invoking software that is known to compile software, such as MSBuild.exe (Microsoft Visual Studio).
To reduce false positives, we recommend excluding items based on specific FolderPaths.
Depending on your environment, there obviously may be some legitimate use that we didn’t account for.

You can find the query here on GitHub, we tagged it as T1127-WIN-001.md.

Like to read more about this ?

Certificate services: Certutil

Some pre-installed system tools are regularly used in initial compromise payloads or post-compromise activities, such as spreading malware. Philip Goh affectionally named trusted tools like this ‘living of the land’ binaries (LOLbins). Just for the record, there’s three types of LOL techniques:

LOLbins: using Windows binaries.
LOLLibs: using libraries
LOLScripts: using scripts

There’s also a repo available called ‘Living Off The Land Binaries and Scripts’ (LOLBAS), centralising over 100 binaries to use. This repo is maintained by several individuals. The most popular LOLbin according to stats by Oddvar Moe, and one of the more versatile ones, is Certutil.

This query is aimed at detecting malicious use of Certutil.

According to Microsoft ‘Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains’.

This LOLBin can be used to execute the following techniques:

T1105 — Ingress Tool Transfer
T1564.004 — Hide Artifacts: NTFS File Attributes
T1027 — Obfuscated Files or Information
T1140 — Deobfuscate/Decode Files or Information

Now how can we detect malicious behaviour— given most of time it consists of legitimate activity:

Our detection addresses focuses on detection ‘detection evasion’ techniques. Most of these have been pulled from the amazing research by Daniel Bohannon, aptly named DOSfuscation.
Second, you want to define the HashTimeFrame. We recommend to work with a 30d timeframe due to potential resource constraints.
Next we want to start looking into Certutil executions by investigating SHA1 hashes from prior Certutil executions or file create events where the former file name is Certutil.

A few considerations:

This detection covers multiple techniques. We chose to map it to T1105 (Ingress Tool Transfer) because in our experience this is what Certutil is most commonly utilised for.
Take into account that there are always bypasses possible. For example, we added detection resiliency logic in an attempt to address the potential scenario where the attacker renames the binary first before executing it. If he were to upload the renamed binary it might be missed by our rule.
For the download technique, you could match it to DeviceNetworkEvents that connect to the internet for more contextual information.

Usage in production

The lookup created to address ‘file renames’ might have some additional load on large environments. We have not experienced any significant impact during our tests. You might want to trim the timeframe in case this is impacting to your setup.

You can find the query here on GitHub, we tagged it as T1105-WIN-001.md.

Like to read more about this ?

Disclaimers

Don’t expect to copy-paste the queries in your environment and be done with it. We provide a foundational query which can detect a certain technique. You will need to fine-tune/extend the query to your organisation’s specifics to make it work in your environment and integrate into your monitoring solution.
The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.
Direct link to our Github page: https://github.com/FalconForceTeam/FalconFriday

The FalconForce Medium page with the bi-weekly articles can be found HERE.