security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Broader definition certutil.exe rule

Browse Source
This commit is contained in:
Florian Roth
2017-03-20 22:06:48 +01:00
parent 1bf11dc471
commit 6f38a44ec1
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_certutil_decode.yml
+2 -3
View File
@@ -1,6 +1,6 @@
title: Certutil Decode in AppData
status: experimental
description: Detetcs a Microsoft certutil execution with the 'decode' sub command on files in the AppData folder, which is sometimes used to decode malicious code with the built-in certutil utility
description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
author: Florian Roth
reference: https://twitter.com/JohnLaTwC/status/835149808817991680
logsource:
@@ -9,8 +9,7 @@ logsource:
detection:
selection:
EventID: 1
Image: '*\certutil.exe'
CommandLine: '* -decode *\AppData\*'
Image: '*\certutil.exe -decode '
condition: selection
falsepositives:
- unknown