security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b85d96e45818e25c11b662be7d2f036c2b20ebef
blue-team-tools/rules/windows/sysmon/sysmon_susp_certutil_command.yml
T

22 lines
714 B
YAML
Raw Blame History

title: Suspicious Certutil Command
status: experimental
description: Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
author: Florian Roth
reference: https://twitter.com/JohnLaTwC/status/835149808817991680
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -urlcache -split -f' # https://twitter.com/subTee/status/888102593838362624
condition: selection
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink