CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bad4429ad0367f9e00841faaf490cdba7c28ae9c
hayabusa/rules/alert-rules/sigma/win_susp_certutil_command.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

73 lines
2.2 KiB
YAML
Raw Blame History

title: Suspicious Certutil Command
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
description: Detects a suspicious Microsoft certutil execution with sub commands like
'decode' sub command, which is sometimes used to decode malicious code with the
built-in certutil utility
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '* /verifyctl *'
SELECTION_11:
CommandLine: '* /encode *'
SELECTION_12:
Image: '*\certutil.exe'
SELECTION_13:
CommandLine: '*URL*'
SELECTION_14:
CommandLine: '*ping*'
SELECTION_2:
CommandLine: '* -decode *'
SELECTION_3:
CommandLine: '* -decodehex *'
SELECTION_4:
CommandLine: '* -urlcache *'
SELECTION_5:
CommandLine: '* -verifyctl *'
SELECTION_6:
CommandLine: '* -encode *'
SELECTION_7:
CommandLine: '* /decode *'
SELECTION_8:
CommandLine: '* /decodehex *'
SELECTION_9:
CommandLine: '* /urlcache *'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11) or (SELECTION_12 and (SELECTION_13 or SELECTION_14))))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
fields:
- CommandLine
- ParentCommandLine
id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
level: high
logsource:
category: process_creation
product: windows
modified: 2021/04/23
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
status: experimental
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
yml_filename: win_susp_certutil_command.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink