26 Jul 2024

Blogs

Gathering Intel from the Certificate Transparency Initiative for the recent Crowdstrike incident and other tailored cases.

The indicators of compromise listed in the Crowdstrike article of the 19th July [1] has a list of hostnames and domains that could impersonate Crowdstrike brands.
The Crowdstrike article provides a disclaimer that “Some domains in this list are not currently serving malicious content or could be intended to amplify negative sentiment. However, these sites may support future social-engineering operations”.
They also provide a pointer to their LogScale query to collect this information.

There is another way to get similar information straight from the TLS certificates being issued through the Certificate Transparency Initiative[2].
A general overview of the Certificate Transparency scheme is also outlined on Wikipedia [3].

The following article describes steps that can be taken to collect hostnames and domains that have recently been issued a TLS certificate and check if they hold the word “crowdstrike”.
In case you are looking for permutations of words from “crowdstrike” (or any other search term), you will be able to re-run your new queries on the locally collected data.

The technique uses the stream of certificates being issued and published through the Certificate Transparency Initiative with a python module created by CaliDog [4].
The python module is duly named “certstream” [5][6] and running it will start to collect current certificates being issued through CaliDog’s collection and distribution server through a secure web socket [7].
This is a “live” feed and there are potentially hundreds of items every minute.

Once the certstream python module[5] has been installed locally and you also have jq [8] utility installed, you are now ready to start collecting all the certificates being issued.
Recording all the details of the certificate takes up significant disk space so it is recommended to just save the fields that will be useful for future queries.
It is recommended to save the following information:

1) Certificate-ID,
2) Issuer Organisation Name, and
3) All listed domains in the certificate

This can be achieved by using the following commands:

certstream –json | jq -r ‘.data | [[(.cert_index|tostring)], [.leaf_cert.issuer.O], .leaf_cert.all_domains | join(“,”)] | join(“\t”)’

This will collect the certificate ID, the Issuer Organisation and the domains listed in that certificate as a tab separated row, and is output to the current terminal session in a scrolling fashion.

A way to save the output in convenient TSV files (in batches) is as follows:

certstream –json | jq -r ‘.data | [[(.cert_index|tostring)], [.leaf_cert.issuer.O], .leaf_cert.all_domains | join(“,”)] | join(“\t”)’ >> certificate-data.tsv

After an amount of time (and of your choosing), you may stop the query and relaunch the query to write to a different file, to ensure continuity of collection.

On the file, you may then use a utility such as “grep” [9], to find matches in the following manner :

cat certificate-data.tsv | grep crowdstrike

This will yield matches containing the text “crowdstrike”.
If there are other key words to be searched, this can be done by substituting the word “crowdstrike” from the above example with your search term.

You may also crosscheck and get further details of the certificate by searching online repositories such as in crt.sh [10]

The disclaimer used in the Crowdstrike article applies to the data found through this technique. Domains and hostnames discovered may be online, not yet online, or they may be legitimate domains.
Further interpretation is required but at least you now have visibility on the hostnames being registered with a TLS certificates, which is an action of intent of bringing the hostname online.

AUSCERT has a number of MISP events available to members that utilise certificate transparency logs as one of the threat intelligence sources.

Happy hunting!

References:

[1] https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/
[2] https://certificate.transparency.dev/
[3] https://en.wikipedia.org/wiki/Certificate_Transparency
[4] https://calidog.io/
[5] https://certstream.calidog.io/
[6] https://github.com/CaliDog/certstream-python
[7] wss://certstream.calidog.io/
[8] https://jqlang.github.io/jq/tutorial/
[9] https://www.digitalocean.com/community/tutorials/grep-command-in-linux-unix
[10] https://crt.sh/

Written by AUSCERT