EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - Certipy Execution

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

MITRE ATT&CK

T1649
discoverycredential-access

Detection Query

selection_img:
  - Image|endswith: \Certipy.exe
  - OriginalFileName: Certipy.exe
  - Description|contains: Certipy
selection_cli_commands:
  CommandLine|contains:
    - " account "
    - " auth "
    - " cert "
    - " find "
    - " forge "
    - " ptt "
    - " relay "
    - " req "
    - " shadow "
    - " template "
selection_cli_flags:
  CommandLine|contains:
    - " -bloodhound"
    - " -ca-pfx "
    - " -dc-ip "
    - " -kirbi"
    - " -old-bloodhound"
    - " -pfx "
    - " -target"
    - " -template"
    - " -username "
    - " -vulnerable"
    - auth -pfx
    - shadow auto
    - shadow list
condition: selection_img or all of selection_cli_*

Author

pH-T (Nextron Systems), Sittikorn Sangrattanapitak

Created

2023-04-17

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.discoveryattack.credential-accessattack.t1649
Raw Content
title: HackTool - Certipy Execution
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: test
description: |
    Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
references:
    - https://github.com/ly4k/Certipy
    - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
date: 2023-04-17
modified: 2024-10-08
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1649
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Certipy.exe'
        - OriginalFileName: 'Certipy.exe'
        - Description|contains: 'Certipy'
    selection_cli_commands:
        CommandLine|contains:
            - ' account '
            - ' auth '
            # - ' ca ' # Too short to be used with just one CLI
            - ' cert '
            - ' find '
            - ' forge '
            - ' ptt '
            - ' relay '
            - ' req '
            - ' shadow '
            - ' template '
    selection_cli_flags:
        CommandLine|contains:
            - ' -bloodhound'
            - ' -ca-pfx '
            - ' -dc-ip '
            - ' -kirbi'
            - ' -old-bloodhound'
            - ' -pfx '
            - ' -target'
            - ' -template'
            - ' -username '
            - ' -vulnerable'
            - 'auth -pfx'
            - 'shadow auto'
            - 'shadow list'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unlikely
level: high