detection.wiki

Detection rules › Splunk

Detect Certify With PowerShell Script Block Logging

Status
production
Severity
medium
Group by
Guid, Name, Opcode, Path, ScriptBlockId, ScriptBlockText, dest, process_id, signature, signature_id, user_id, vendor_product
Author
Steven Dick
Source
github.com/splunk/security_content

The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Credential AccessT1649 Steal or Forge Authentication Certificates

Event coverage

ProviderEventTitle
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Rule body splunk

name: Detect Certify With PowerShell Script Block Logging
id: f533ca6c-9440-4686-80cb-7f294c07812a
version: 14
creation_date: '2023-07-28'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*"))
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown")
      | eval signature = substr(command,0,256)
      | `detect_certify_with_powershell_script_block_logging_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba..
known_false_positives: No false positives have been identified at this time.
references:
    - https://github.com/GhostPack/Certify
    - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user_id$"
      search: '%original_detection_search% | search  dest = "$dest$" user_id = "$user_id$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Certify arguments through PowerShell detected on $dest$.
    entity:
        field: user_id
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: Certify arguments through PowerShell detected on $dest$.
analytic_story:
    - Windows Certificate Services
    - Malicious PowerShell
asset_type: Endpoint
mitre_attack_id:
    - T1059.001
    - T1649
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: search

`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*"))

Stage 2: fillnull

| fillnull

Stage 3: stats

| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText

Stage 4: search

| `security_content_ctime(firstTime)`

Stage 5: search

| `security_content_ctime(lastTime)`

Stage 6: eval

| eval file_name = case(isnotnull(file_name),file_name,true(),"unknown")
file_name =
ifisnotnull(file_name)file_name
else"unknown"

Stage 7: eval

| eval signature = substr(command,0,256)

Stage 8: search

| `detect_certify_with_powershell_script_block_logging_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4104 corpus 268 (splunk 268)
ScriptBlockTextin
  • "* -ca *"
  • "* -u *"
  • "* -username *"
  • "* -vulnerable*"
  • "* /ca:*"
  • "* /enrolleeSuppliesSubject *"
  • "* /json /outfile*"
  • "* /vulnerable*"
  • "*auth *"
  • "*download *"
  • "*find *"
  • "*req *"
  • "*request *"