Adversaries may use fraudulent ECC certificates to sign malicious files, bypassing certificate validation and executing code without detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation of the CVE-2020-0601 vulnerability and mitigate advanced persistent threats.
KQL Query
DeviceFileCertificateInfo
| where Timestamp > ago(30d)
| where IsSigned == 1 and IsTrusted == 1 and IsRootSignerMicrosoft == 1
| where SignatureType == "Embedded"
| where Issuer !startswith "Microsoft" and Issuer !startswith "Windows"
| project Timestamp, DeviceName,SHA1,Issuer,IssuerHash,Signer,SignerHash,
CertificateCreationTime,CertificateExpirationTime,CrlDistributionPointUrls
id: d8f2e268-68a6-4f09-abd1-2568462bcaf5
name: locate-files-possibly-signed-by-fraudulent-ecc-certificates
description: |
This query was originally published in the threat analytics report, CVE-2020-0601 certificate validation vulnerability.
The Windows CryptoAPI Spoofing Vulnerability, CVE-2020-0601, can be exploited to spoof code-signing certificates. For example, an attacker could forge a certificate that lists Microsoft as the issuer. This would allow an attacker to disguise a malicious executable as legitimate.
The vulnerability was patched with the January 2020 Security Update.
Use the following query to locate files containing ECC certificates that might have been forged using this vulnerability. The query identifies files that don't correctly identify the signer name, yet list Microsoft as the root signer.
References:
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2020-0601
https://portal.msrc.microsoft.com/security-guidance/releasenotedetail/2020-Jan
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics:
- Defense evasion
query: |
DeviceFileCertificateInfo
| where Timestamp > ago(30d)
| where IsSigned == 1 and IsTrusted == 1 and IsRootSignerMicrosoft == 1
| where SignatureType == "Embedded"
| where Issuer !startswith "Microsoft" and Issuer !startswith "Windows"
| project Timestamp, DeviceName,SHA1,Issuer,IssuerHash,Signer,SignerHash,
CertificateCreationTime,CertificateExpirationTime,CrlDistributionPointUrls
Scenario: Legitimate certificate-based file signing using a trusted certificate
Description: A system administrator signs a script or executable using a valid certificate issued by a trusted CA, which may be incorrectly flagged due to a similarity in certificate structure.
Filter/Exclusion: Exclude files signed by known trusted certificate authorities (e.g., Microsoft, DigiCert) using the file_hash or signer_certificate fields.
Scenario: Scheduled job executing a script with a self-signed certificate
Description: A scheduled job (e.g., schtasks.exe) runs a script that uses a self-signed certificate for internal communication, which may trigger the rule due to certificate validation issues.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with known internal certificate usage.
Scenario: System update or patching process using a signed installer
Description: A Windows Update or Microsoft Update process downloads and installs a signed package, which may be flagged due to certificate validation logic.
Filter/Exclusion: Exclude processes related to wuauclt.exe, setup.exe, or known Microsoft update tools.
Scenario: Internal tool using a custom certificate for internal communication
Description: An internal tool (e.g., PowerShell, certutil, or openssl.exe) uses a custom certificate for internal API calls, which may be incorrectly flagged due to certificate validation.
Filter/Exclusion: Exclude processes using internal certificates by checking the subject or issuer fields against known internal CA names.
Scenario: Admin task using a certificate for secure remote access
Description: An admin task (e.g., mstsc.exe, RDP, or ssh.exe) uses a certificate for secure remote access, which may be flagged due to certificate validation logic.
*Filter/Ex