title: Suspicious Certutil Command
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
description: Detects a suspicious Microsoft certutil execution with sub commands like
  'decode' sub command, which is sometimes used to decode malicious code with the
  built-in certutil utility
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '* -decode *'
    - '* -decodehex *'
    - '* -urlcache *'
    - '* -verifyctl *'
    - '* -encode *'
    - '* /decode *'
    - '* /decodehex *'
    - '* /urlcache *'
    - '* /verifyctl *'
    - '* /encode *'
  SELECTION_3:
    Image: '*\certutil.exe'
  SELECTION_4:
    CommandLine:
    - '*URL*'
    - '*ping*'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
  environment
fields:
- CommandLine
- ParentCommandLine
id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/04/23
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
status: experimental
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
ruletype: SIGMA