03. Using the web interface
Before reading this section, please make sure the web interface is started (see 2.4). All actions mentioned below require you to be authenticated. In order to do so, enter your credentials in the login form:
- Uploading IOC
- Uploading Yara rules
- Creating a configuration profile
- Adding Windows Credentials
- Configuring a batch
- Viewing results
- Adding users
Before uploading an IOC, make sure it respects the OpenIOC XML format, and that behavioral categories and items are supported. If no, said elements will not be scanned. Go to the “Configuration & Profiles” menu item and click on “Add a new IOC”. Enter a name for your IOC and select a file on your computer:
You can check that your IOC has been correctly added by clicking the 
icon:
Yara Rules upload is not fully supported for now since the feature is still under development.
Go to the “Configuration & Profiles” menu item and click on “Add a new scan profile”. Enter a name for your scan profile and select a set of IOC and Yara Rules. You can also select the “Host-confidential” setting to prevent the search criteria to be sent to the target:
CERTitude needs to be fed credentials to authenticate on targets, supporting local and domain authentication. Therefore, when adding new Windows Credentials, you need to provide domain, username and password information. You also need to enter your password as the administrator account password will be encrypted with information derived from your password and the master key:
In order to add a new batch, navigate to the “Scanner” menu item and click on “Add a new batch”:
You can then configure the targets to be added in the batch in the batch configuration page you can reach by clicking on your batch name. Targets can be added one-by-one by IP (or IP range) or by hostname (hostname list is currently not supported):
The number of tries represents the maximum number of times a target can be scanned for a specific type of scan. Priority for this scan allows highest-priority target selection. Finally, subnet information can be used later in result visualization to sort results.
Results can be visualized in the “Visualization” menu item. According to the size of your data set, two visualization methods can be used.
Standard result presentation relies on d3.js library to show the results. They can be sorted according to a geographical scale and a color scale:
Unfortunately, with more than 100 results, this visualization cannot be used anymore and mass visualization has to be used.
Mass visualization relies on Bokeh to parse and sort the result according to two criteria:
Whatever result presentation is used, every host can be viewed individually from said presentation methods, so that the analyst can see what IOC item was matched and information on the matched items:
CERTitude can be used as a single-user or a multi-user tool. Users can be added via the web interface in the "Users" menu item. Users are identified by:
- A user name
- An email address (not currently used)
- A status (enabled/disabled)
Each user has a password meeting the complexity requirements (12 chars and 3 char classes minimum), and an encrypted version of the database Master Key, which is used to decrypt domain credentials.
To add new users, you must enter:
- Their login/password pair
- Their email
- Your password, in order to decrypt the master key and encrypt it for them
