LoFP / false positives may be present if the organization works with international businesses. filter as needed.

Techniques

• T1573

Sample rules

Zeek x509 Certificate with Punycode

• source: splunk
• technicques:
  • T1573

Description

The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the “xn–” prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.

Detection logic

`zeek_x509` 
| rex field=san.email{} "\@(?<domain_detected>xn--.*)" 
| rex field=san.other_fields{} "\@(?<domain_detected>xn--.*)" 
| stats values(domain_detected) by  basic_constraints.ca source host 
| `zeek_x509_certificate_with_punycode_filter`

SSL Certificates with Punycode

• source: splunk
• technicques:
  • T1573

Description

The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix “xn–”. It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain 
| `drop_dm_object_name("All_Certificates.SSL")` 
| eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) 
| where punycode=1 
| cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" jsonrecipe="[{"op":"From Punycode","args":[true]}]" 
| table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain 
| `ssl_certificates_with_punycode_filter`