callTogether certificate

Hunt Hypothesis

The callTogether certificate rule detects potential adversary use of a compromised or malicious certificate to establish secure, undetected communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging certificate-based evasion tactics.

YARA Rule

rule callTogether_certificate
{
    meta:
        Author      = "Fireeye Labs"
        Date        = "2014/11/03" 
        Description = "detects binaries signed with the CallTogether certificate"
        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"

    strings:
        $serial = { 45 21 56 C3 B3 FB 01 76 36 5B DB 5B 77 15 BC 4C }
        $o = "CallTogether, Inc."

    condition:
        $serial and $o
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled certificate renewal via Let’s Encrypt
  Description: A system administrator uses certbot to automatically renew SSL certificates for the callTogether service.
  Filter/Exclusion: Check for the presence of certbot in the process name or command line, or filter by process.name = "certbot".

• Scenario: Manual certificate import by an admin
  Description: An admin manually imports a new certificate into the callTogether service using the openssl command-line tool.
  Filter/Exclusion: Filter out processes involving openssl or check for the presence of admin in the user context or command line arguments.

• Scenario: Internal tool for certificate management
  Description: A custom internal tool, such as certmgr.sh, is used to manage certificates for callTogether and other internal services.
  Filter/Exclusion: Include a filter for process.name = "certmgr.sh" or check for the presence of a known internal tool identifier in the command line.

• Scenario: System-wide certificate update via OS update
  Description: A system update or patching process updates system-wide certificates, which may include the callTogether service.
  Filter/Exclusion: Filter by process.name = "update-manager" or process.name = "apt" (on Debian-based systems) or process.name = "yum" (on Red Hat-based systems).

• Scenario: Development environment certificate testing
  Description: A developer is testing certificate configurations in a development instance of callTogether, using self-signed certificates.
  Filter/Exclusion: Filter by process.env = "dev" or process.env = "test" or check for the presence of a development-specific hostname or IP address.