/
windows_mimikatz_crypto_export_file_extensions.yml
64 lines (64 loc) · 2.58 KB
/
windows_mimikatz_crypto_export_file_extensions.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Windows Mimikatz Crypto Export File Extensions
id: 3a9a6806-16a8-4cda-8d73-b49d10a05b16
version: 1
date: '2023-12-27'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic identifies hardcoded extensions related to the
Crypo module within Mimikatz. Moving certificates or downloading them is not malicious,
however with Mimikatz having hardcoded names it helps to identify potential usage
of certificates being exported.
data_source:
- Sysmon EventID 11
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.keyx.rsa.pvk","*sign.rsa.pvk","*sign.dsa.pvk","*dsa.ec.p8k","*dh.ec.p8k",
"*.pfx", "*.der") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
| `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: False positives may be present and may need to be reviewed
before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's
too much volume.
references:
- https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645
tags:
analytic_story:
- Sandworm Tools
- CISA AA23-347A
- Windows Certificate Services
asset_type: Endpoint
confidence: 70
impact: 40
message: Certificate file extensions realted to Mimikatz were identified on disk
on $dest$.
mitre_attack_id:
- T1649
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.file_path
risk_score: 28
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true