NDR: Checking for 'Baby Certs" with Reveal(x)

I had a conversation with someone about “Baby Domains” where they wanted to check for domain names that are newly issued. This lead to a second conversation about malware moving into encrypted channels in an attempt to evade payload analysis (while we can decrypt your TLS 1.3, we haven’t gotten the bad guys to share their keys with us yet).

This can be useful for outgoing traffic to C2 environments or phishing sites. In the last few years, ANYONE can get a SSL Certificate (it didn’t used to be that way) by running certbot in a script and placing your newly minted C2 host or phishing site on the internet WITHOUT the user getting a warning. One of the workflows I like to use is to check for newly minted certificates that may match additional criteria.

Example: A 3 day old Certificate that was issued by “Let’s Encrypt” going to an IP address in a former Soviet Block (CIS) nation-state. Or, maybe the hostname (SSL.host) has some base64 like characteristics.

Below is a simple trigger I like to use to check the age of a certificate. As I said, you can add additional keys to this to increase context (GeoIP, DGA-like SSL.host values, nulls in the Certificate issuer field) to add to the suspiciousness of these values. For now we are just logging but if you feel like trying it out, you might get some interesting data back.

In the image below, I basically went to pastebin and found a list of emotet C2 sites and did a wget from my Kali box to generate the record.

Another thing you may try is if the SSL.certificate is blank, checking the IP against CTI. I have found several C2 nodes when the !SSL.certificate is true. To do this you use:

if(!SSL.certificate) {
    if(ThreatIntel.hasIP(sip)) {
            log("CTI Match on Empty Cert for: " + cip + " " + sip)
        }
}

Trigger Code

// Bail if the server is not External
if (!Flow.server.ipaddr.isExternal) return;

let cip = Flow.client.ipaddr;
let sip = Flow.server.ipaddr;

if (!SSL.certificate) return;

let issueDate = new Date(SSL.certificate.notBefore * 1000);
let today = new Date();
//Set how far back you want to check the date of the Certificate
let days = 14;
let babyCert = new Date().setDate(today.getDate() - days);
6;

const country = GeoIP.getCountry(sip);
let geoLoc = country ? country.countryName : "Not in Maxmind";


if (issueDate > babyCert) {
    log(
        "Newly Issued Certificate: " +
            issueDate.toLocaleDateString("en-US") +
            " " +
            cip +
            ":" +
            sip +
            " " +
            SSL.host +
            " " +
            SSL.certificate.issuer +
            " " +
            SSL.certificate.isSelfSigned +
            " " +
            geoLoc
    );
}

3 Likes

Love this idea. we will be trying it out in our environment next week. thanks for posting.

1 Like