Nasreddine Bencherchali
4142819114
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
36 lines
1.5 KiB
YAML
36 lines
1.5 KiB
YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
|
|
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
|
|
status: test
|
|
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
|
|
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
|
|
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
|
|
- https://twitter.com/JohnLaTwC/status/835149808817991680
|
|
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
|
|
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
|
|
date: 2023/02/15
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1027
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\certutil.exe'
|
|
- OriginalFileName: 'CertUtil.exe'
|
|
selection_cli:
|
|
CommandLine|contains:
|
|
# Decode Base64
|
|
- '-decode '
|
|
- '/decode '
|
|
# Decode Hex
|
|
- '-decodehex '
|
|
- '/decodehex '
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|