security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc8a89b6792ba7671d45c255e3042fba5df7cadf
blue-team-tools/rules/windows/sysmon/sysmon_susp_certutil_command.yml
T

69 lines
2.3 KiB
YAML
Raw Normal View History

Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
---
action: global
certutil detections (renamed, extended)
2017-07-20 12:38:10 -06:00
title: Suspicious Certutil Command
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
status: experimental
Fixed typo
2018-07-09 13:32:16 -05:00
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
Fixed bugs
2018-06-27 09:20:20 +02:00
author: Florian Roth, juju4
rule: extended certutil rule to include verifyctl and allows renamed certutil
2019-01-22 16:20:06 +01:00
modified: 2019/01/22
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
references:
certutil file download - more generic approach
2017-07-20 12:48:47 -06:00
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
- https://twitter.com/subTee/status/888071631528235010
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
rule: extended certutil rule to include verifyctl and allows renamed certutil
2019-01-22 16:20:06 +01:00
- https://twitter.com/egre55/status/1087685529016193025
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
detection:
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.s0189
- attack.g0007
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
---
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
logsource:
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
product: windows
service: sysmon
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
detection:
selection:
EventID: 1
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
CommandLine:
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
2018-09-23 20:28:05 +02:00
- '*certutil * -decode *'
- '*certutil * -decodehex *'
rule: extended certutil rule to include verifyctl and allows renamed certutil
2019-01-22 16:20:06 +01:00
- '* -urlcache * http*'
- '* -urlcache * ftp*'
- '* -verifyctl * http*'
- '* -verifyctl * ftp*'
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
2018-09-23 20:28:05 +02:00
- '*certutil *-URL*'
- '*certutil *-ping*'
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
- '*certutil.exe * -decode *'
- '*certutil.exe * -decodehex *'
- '*certutil.exe *-URL*'
- '*certutil.exe *-ping*'
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*certutil * -decode *'
- '*certutil * -decodehex *'
rule: extended certutil rule to include verifyctl and allows renamed certutil
2019-01-22 16:20:06 +01:00
- '* -urlcache * http*'
- '* -urlcache * ftp*'
- '* -verifyctl * http*'
- '* -verifyctl * ftp*'
Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00
- '*certutil *-URL*'
- '*certutil *-ping*'
- '*certutil.exe * -decode *'
- '*certutil.exe * -decodehex *'
- '*certutil.exe *-URL*'
- '*certutil.exe *-ping*'
Reference in New Issue Copy Permalink