/
windows_registry_certificate_added.yml
72 lines (72 loc) · 3.19 KB
/
windows_registry_certificate_added.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Windows Registry Certificate Added
id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87
version: 2
date: '2023-04-27'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic identifies installation of a root CA certificate
by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml).
In short, there are specific certificate registry paths that will be written to
(SetValue) when a new certificate is added. The high-fidelity events to pay attention
to are SetValue events where the TargetObject property ends with "<THUMBPRINT_VALUE>\Blob"
as this indicates the direct installation or modification of a root certificate
binary blob. The other high fidelity reference will be which process is making the
registry modifications. There are very few processes that modify these day to day,
therefore monitoring for all to start (hunting) provides a great beginning.
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob"
by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name
Registry.process_guid Registry.registry_key_name Registry.registry_value_data |
`drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_registry_certificate_added_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node.
In addition, confirm the latest CIM App 4.20 or higher is installed and the latest
TA for the endpoint product.
known_false_positives: False positives will be limited to a legitimate business applicating
consistently adding new root certificates to the endpoint. Filter by user, process,
or thumbprint.
references:
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004
tags:
analytic_story:
- Windows Drivers
- Windows Registry Abuse
asset_type: Endpoint
confidence: 70
impact: 60
message: A root certificate was added on $dest$.
mitre_attack_id:
- T1553.004
- T1553
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.registry_path
- Registry.registry_key_name
- Registry.registry_value_name
- Registry.dest
risk_score: 42
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog