This rule automatically adds certificates present in malware

Hunt Hypothesis

Adversaries may use compromised or malicious certificates to establish trusted communication channels, allowing them to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential certificate-based attacks and mitigate the risk of long-term compromise.

YARA Rule

rule fraudulents_2 : certificates android
{
	meta:
		description = "This rule automatically adds certificates present in malware"
		author = "https://twitter.com/fdrg21"

	condition:
		androguard.certificate.sha1("A5D9C9A40A3786D631210E8FCB9CF7A1BC5B3062") or
		androguard.certificate.sha1("B4142B617997345809736842147F97F46059FDE3") or
		androguard.certificate.sha1("950A545EA156A0E44B3BAB5F432DCD35005A9B70") or
		androguard.certificate.sha1("DE18FA0C68E6C9E167262F1F4ED984A5F00FD78C") or
		androguard.certificate.sha1("81E8E202C539F7AEDF6138804BE870338F81B356") or
		androguard.certificate.sha1("5A051047F2434DDB2CAA65898D9B19ED9665F759")
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is manually installing a trusted certificate for internal use (e.g., for a secure internal service).
  Filter/Exclusion: Exclude certificates signed by known internal CA or those with subject fields containing “internal”, “trusted”, or “CA”.

• Scenario: A scheduled job is running a certificate renewal process for a legitimate service (e.g., using certutil or openssl to renew SSL certificates).
  Filter/Exclusion: Exclude certificates with issuer names matching known internal or enterprise CA names, or those associated with scheduled tasks running under a specific service account.

• Scenario: A developer is using a code signing certificate to sign a legitimate application or script (e.g., using signtool or codesign).
  Filter/Exclusion: Exclude certificates signed by developers or internal teams, or those with subject fields containing “developer”, “signing”, or “code-signing”.

• Scenario: A security tool is performing a certificate audit or integrity check (e.g., using PowerShell or certutil to verify certificate chains).
  Filter/Exclusion: Exclude certificates that are part of known security tooling or system processes, or those with timestamps within a specific audit window.

• Scenario: A third-party service is providing a certificate for a legitimate API integration (e.g., using curl or Postman to test API endpoints).
  Filter/Exclusion: Exclude certificates issued by known third-party services or those with subject fields containing “api”, “integration”, or “third-party”.