title: Suspicious Load DLL via CertOC.exe
ruletype: Sigma
author: Austin Songer @austinsonger
date: 2021/10/23
description: Detects when a user installs certificates by using CertOC.exe to loads
  the target DLL file.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\certoc.exe'
  SELECTION_3:
    CommandLine: '*-LoadDLL*'
  SELECTION_4:
    CommandLine: '*.dll*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- None
fields:
- CommandLine
- ParentCommandLine
id: 242301bc-f92f-4476-8718-78004a6efd9f
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
status: experimental
tags:
- attack.defense_evasion
- attack.t1218