HackTool - Certipy Execution

 1title: HackTool - Certipy Execution
 2id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
 3status: test
 4description: |
 5        Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
 6references:
 7    - https://github.com/ly4k/Certipy
 8    - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
 9author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
10date: 2023-04-17
11modified: 2024-10-08
12tags:
13    - attack.discovery
14    - attack.credential-access
15    - attack.t1649
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\Certipy.exe'
22        - OriginalFileName: 'Certipy.exe'
23        - Description|contains: 'Certipy'
24    selection_cli_commands:
25        CommandLine|contains:
26            - ' account '
27            - ' auth '
28            # - ' ca ' # Too short to be used with just one CLI
29            - ' cert '
30            - ' find '
31            - ' forge '
32            - ' ptt '
33            - ' relay '
34            - ' req '
35            - ' shadow '
36            - ' template '
37    selection_cli_flags:
38        CommandLine|contains:
39            - ' -bloodhound'
40            - ' -ca-pfx '
41            - ' -dc-ip '
42            - ' -kirbi'
43            - ' -old-bloodhound'
44            - ' -pfx '
45            - ' -target'
46            - ' -template'
47            - ' -username '
48            - ' -vulnerable'
49            - 'auth -pfx'
50            - 'shadow auto'
51            - 'shadow list'
52    condition: selection_img or all of selection_cli_*
53falsepositives:
54    - Unlikely
55level: high