HackTool - Certify Execution

Severity: high
Author: pH-T (Nextron Systems)
Source: upstream

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1649` Steal or Forge Authentication Certificates

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_img`

or:
Description|contains: Certify
Image|endswith: '\Certify.exe'
OriginalFileName: Certify.exe

Stage 2: `all of selection_cli_commands`

or:
CommandLine|contains: '.exe cas '
CommandLine|contains: '.exe download '
CommandLine|contains: '.exe find '
CommandLine|contains: '.exe pkiobjects '
CommandLine|contains: '.exe request '

Stage 3: `all of selection_cli_options`

or:
CommandLine|contains: ' /altname:'
CommandLine|contains: ' /ca:'
CommandLine|contains: ' /domain:'
CommandLine|contains: ' /path:'
CommandLine|contains: ' /template:'
CommandLine|contains: ' /vulnerable'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/altname:` `/ca:` `/domain:` `/path:` `/template:` `/vulnerable` `.exe cas` `.exe download` `.exe find` `.exe pkiobjects` `.exe request`
`Description`	match	`Certify`
`Image`	ends_with	`\Certify.exe` corpus 2 (sigma 2)
`OriginalFileName`	eq	`Certify.exe`