qti certificate

Hunt Hypothesis

The qti_certificate rule detects potential adversary behavior involving the use of custom or malicious certificates, which may be used to establish secure communication channels for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could evade traditional detection methods.

YARA Rule

rule qti_certificate
{
    meta:
        Author      = "Fireeye Labs"
        Date        = "2014/11/03" 
        Description = "detects binaries signed with the QTI International Inc certificate"
        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html"

    strings:
        $cn = "QTI International Inc"
        $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }

    condition:
        $cn and $serial
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is manually installing a trusted certificate using the Microsoft Management Console (MMC) or certmgr.msc tool.
  Filter/Exclusion: Check for the presence of certmgr.msc or mmc.exe in the process tree, or filter by user account (e.g., Administrators group).

• Scenario: A scheduled job runs to update or renew certificates via Windows Server Update Services (WSUS) or Group Policy Object (GPO).
  Filter/Exclusion: Include processes related to wuauserv, gpsvc, or gpolusr in the allowed process list, or check for known GPO update patterns.

• Scenario: A developer is using Visual Studio or PowerShell to generate or sign a certificate for internal use in a development environment.
  Filter/Exclusion: Filter by process names like devenv.exe, powershell.exe, or user context (e.g., DevTeam group).

• Scenario: A backup job is running that includes certificate files as part of a full system backup, such as via Veeam, Commvault, or Windows Backup.
  Filter/Exclusion: Include backup-related processes like veeam.exe, cvbackup.exe, or wbadmin.exe in the allowed process list.

• Scenario: A third-party application like Citrix, VMware Tools, or Microsoft Intune includes certificate files as part of its installation or configuration.
  Filter/Exclusion: Whitelist known application processes (e.g., CitrixReceiver.exe, vmtoolsd.exe, or intunewds.exe) or check for known installation paths.