Nasreddine Bencherchali
dc9a998874
update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to `high`
33 lines
1.4 KiB
YAML
33 lines
1.4 KiB
YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
|
|
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
|
|
status: test
|
|
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
|
|
references:
|
|
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
|
|
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
|
|
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
|
|
- https://twitter.com/JohnLaTwC/status/835149808817991680
|
|
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
|
|
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
|
|
date: 2023-02-15
|
|
modified: 2025-06-04
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1027
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\certutil.exe'
|
|
- OriginalFileName: 'CertUtil.exe'
|
|
selection_cli:
|
|
CommandLine|contains|windash:
|
|
- '-decode ' # Decode Base64
|
|
- '-decodehex ' # Decode Hex
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|