LoFP / false positives may be present if the organization works with international businesses. filter as needed.

Techniques

• T1573

Sample rules

SSL Certificates with Punycode

• source: splunk
• technicques:
  • T1573

Description

The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn–, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain 
| `drop_dm_object_name("All_Certificates.SSL")` 
| eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) 
| where punycode=1 
| cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" jsonrecipe="[{"op":"From Punycode","args":[true]}]" 
| table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain 
| `ssl_certificates_with_punycode_filter`

Zeek x509 Certificate with Punycode

• source: splunk
• technicques:
  • T1573

Description

The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn– in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually.

Detection logic

`zeek_x509` 
| rex field=san.email{} "\@(?<domain_detected>xn--.*)" 
| rex field=san.other_fields{} "\@(?<domain_detected>xn--.*)" 
| stats values(domain_detected) by  basic_constraints.ca source host 
| `zeek_x509_certificate_with_punycode_filter`