Nasreddine Bencherchali
34 lines
1.5 KiB
YAML
34 lines
1.5 KiB
YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
|
|
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
|
|
status: test
|
|
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
|
|
references:
|
|
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
|
|
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
|
|
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
|
|
- https://twitter.com/JohnLaTwC/status/835149808817991680
|
|
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
|
|
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
|
|
date: 2023-02-15
|
|
modified: 2025-06-04
|
|
tags:
|
|
- attack.stealth
|
|
- attack.t1027
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\certutil.exe'
|
|
- OriginalFileName: 'CertUtil.exe'
|
|
selection_cli:
|
|
CommandLine|contains|windash:
|
|
- '-decode ' # Decode Base64
|
|
- '-decodehex ' # Decode Hex
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
|