HackTool - Certipy Execution

Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Sigma rule (View on GitHub)

 1title: HackTool - Certipy Execution
 2id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
 3status: test
 4description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
 5references:
 6    - https://github.com/ly4k/Certipy
 7author: pH-T (Nextron Systems)
 8date: 2023/04/17
 9tags:
10    - attack.discovery
11    - attack.credential_access
12    - attack.t1649
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\Certipy.exe'
19        - OriginalFileName: 'Certipy.exe'
20        - Description|contains: 'Certipy'
21    selection_cli_commands:
22        CommandLine|contains:
23            - ' auth '
24            - ' find '
25            - ' forge '
26            - ' relay '
27            - ' req '
28            - ' shadow '
29    selection_cli_flags:
30        CommandLine|contains:
31            - ' -bloodhound'
32            - ' -ca-pfx '
33            - ' -dc-ip '
34            - ' -kirbi'
35            - ' -old-bloodhound'
36            - ' -pfx '
37            - ' -target'
38            - ' -username '
39            - ' -vulnerable'
40            - 'auth -pfx'
41            - 'shadow auto'
42            - 'shadow list'
43    condition: selection_img or all of selection_cli_*
44falsepositives:
45    - Unlikely
46level: high

References

Related rules

to-top