2017-07-20 12:38:10 -06:00
title : Suspicious Certutil Command
2017-03-02 11:28:34 +01:00
status : experimental
2018-07-09 13:32:16 -05:00
description : Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
2018-06-27 09:20:20 +02:00
author : Florian Roth, juju4
2018-01-28 02:24:16 +03:00
references :
2017-07-20 12:48:47 -06:00
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
2017-08-02 00:04:28 +02:00
- https://twitter.com/subTee/status/888071631528235010
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
2017-03-02 11:28:34 +01:00
logsource :
2017-03-13 09:23:08 +01:00
product : windows
service : sysmon
2017-03-02 11:28:34 +01:00
detection :
selection :
EventID : 1
2017-08-02 00:04:28 +02:00
CommandLine :
2018-09-23 20:28:05 +02:00
- '*certutil * -decode *'
- '*certutil * -decodehex *'
- '*certutil *-urlcache* http*'
- '*certutil *-urlcache* ftp*'
- '*certutil *-URL*'
- '*certutil *-ping*'
2018-09-23 20:57:34 +02:00
- '*certutil.exe * -decode *'
- '*certutil.exe * -decodehex *'
- '*certutil.exe *-urlcache* http*'
- '*certutil.exe *-urlcache* ftp*'
- '*certutil.exe *-URL*'
- '*certutil.exe *-ping*'
2017-03-02 11:28:34 +01:00
condition : selection
2017-09-12 23:54:04 +02:00
fields :
- CommandLine
- ParentCommandLine
2018-07-19 16:42:39 +03:00
tags :
- attack.defense_evasion
- attack.t1140
- attack.s0189
- attack.g0007
2017-03-02 11:28:34 +01:00
falsepositives :
2017-08-02 00:04:28 +02:00
- False positives depend on scripts and administrative tools used in the monitored environment
2017-03-02 11:28:34 +01:00
level : high
