{"id":3774,"date":"2018-11-01T11:15:45","date_gmt":"2018-11-01T10:15:45","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=3774"},"modified":"2023-02-02T16:23:13","modified_gmt":"2023-02-02T15:23:13","slug":"short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/","title":{"rendered":"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.16″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}”]<\/p>\n

Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware.<\/p>\n

I’d like to show you an easy way to create a YARA rule for such a certificate. We will look at a sample that has been marked as malware by many Antivirus engines on Virustotal and the “Details” tab shows a revoked certificate. That’s a good indicator for a compromised certificate that has been and sometimes is still used by threat groups to sign their binaries.<\/p>\n

Sample:\u00a0ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4<\/a><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2018\/11\/Screenshot-2018-11-01-at-11.01.16.png” align_tablet=”center” align_phone=”” align_last_edited=”on|desktop” _builder_version=”4.16″ global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.19.5″ hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Let’s look at the details. I recommend creating a YARA that uses the “pe” module of YARA and integrate the Serial Number and the Issuer of the certificate to create an unambiguous rule.<\/p>\n

\nrule MAL_Compromised_Cert_Nov18_1 {\n   meta:\n      description = "Detects a compromised certificate of CORP 8 LIMITED - identified in November 2018"\n      date = "2018-11-01"\n      hash = "ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4"\n   condition:\n      uint16(0) == 0x5a4d and\n      for any i in (0 .. pe.number_of_signatures) : (\n         pe.signatures[i].issuer contains "COMODO RSA Code Signing CA" and\n         pe.signatures[i].serial == "4c:75:75:69:2c:2d:06:51:03:1a:77:ab:49:22:4c:cc"\n      )\n}\n<\/pre>\n
As you can see, you need to copy two strings from Virustotals web page:[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2018\/11\/Screenshot-2018-11-01-at-11.08.36.png” align_tablet=”center” align_phone=”” align_last_edited=”on|desktop” _builder_version=”4.16″ global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.19.5″ hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Copy the CA name and use it for the “.issue” condition as well as the serial number, which you use for the “.serial” condition. Make sure that you changed the casing to lower-case as YARA does not expect and understand uppercase characters in the serial field.<\/p>\n
Virustotal Intelligence users can use the following hunting rule to detect new uploaded malicious samples with revoked certificates:<\/p>\n
\nrule Compromised_Certificate {\n  condition:\n    \/\/ New files, detected by more than 30 engines and revoked certificate\n   new_file and positives > 30 and tags contains "revoked-cert"\n}\n<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware. I’d like to show you an easy way to create a YARA rule for such a certificate. We will look at a sample that has been marked as malware by many Antivirus engines on Virustotal and the “Details” tab shows a revoked certificate. That’s a good indicator for a compromised certificate that has been and sometimes is still used by threat groups to sign their binaries. Sample:\u00a0ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4 Let’s look at the details. I recommend creating a YARA that uses the “pe” module of YARA and integrate the Serial Number and the Issuer of the certificate to create an unambiguous rule. rule MAL_Compromised_Cert_Nov18_1 { meta: description = "Detects a compromised certificate of CORP 8 LIMITED – identified in November 2018" date = "2018-11-01" hash = "ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4" condition: uint16(0) == 0x5a4d and for any i in (0 .. pe.number_of_signatures) : ( pe.signatures[i].issuer contains "COMODO RSA Code Signing CA" and pe.signatures[i].serial == "4c:75:75:69:2c:2d:06:51:03:1a:77:ab:49:22:4c:cc" ) } As you can see, you need to copy two strings from Virustotals web page:Copy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"
Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware.<\/p>
I'd like to show you an easy way to create a YARA rule for such a certificate.<\/p>
We will look at a sample that has been marked as malware by many Antivirus engines on Virustotal and the \"Details\" tab shows a revoked certificate. That's a good sign for a compromised certificate that has been and sometimes is still used by threat groups to sign their binaries.<\/p>
Sample:\u00a0ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4<\/a><\/p>[caption id=\"attachment_3775\" align=\"alignnone\" width=\"981\"]\"Malware<\/a> Malware signed with revoked certificate[\/caption]","_et_gb_content_width":"","footnotes":""},"categories":[47],"tags":[131,133,13,124,129,132,101,130,128,134,48],"class_list":["post-3774","post","type-post","status-publish","format-standard","hentry","category-yara","tag-certificates","tag-detect","tag-detection","tag-malware","tag-revoked","tag-samples","tag-signatures","tag-signing","tag-tutorial","tag-virustotal","tag-yara"],"yoast_head":"\nShort Tutorial: How to Create a YARA Rule for a Compromised Certificate - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate\",\"datePublished\":\"2018-11-01T10:15:45+00:00\",\"dateModified\":\"2023-02-02T15:23:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\"},\"wordCount\":577,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"certificates\",\"detect\",\"detection\",\"malware\",\"revoked\",\"samples\",\"signatures\",\"signing\",\"tutorial\",\"virustotal\",\"YARA\"],\"articleSection\":[\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\",\"name\":\"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-11-01T10:15:45+00:00\",\"dateModified\":\"2023-02-02T15:23:13+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate","datePublished":"2018-11-01T10:15:45+00:00","dateModified":"2023-02-02T15:23:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/"},"wordCount":577,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["certificates","detect","detection","malware","revoked","samples","signatures","signing","tutorial","virustotal","YARA"],"articleSection":["YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/","url":"https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/","name":"Short Tutorial: How to Create a YARA Rule for a Compromised Certificate - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-11-01T10:15:45+00:00","dateModified":"2023-02-02T15:23:13+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/11\/01\/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=3774"}],"version-history":[{"count":20,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3774\/revisions"}],"predecessor-version":[{"id":15920,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3774\/revisions\/15920"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=3774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=3774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=3774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}