Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
33 lines
1.4 KiB
YAML
33 lines
1.4 KiB
YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
|
|
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
|
|
status: test
|
|
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
|
|
references:
|
|
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
|
|
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
|
|
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
|
|
- https://twitter.com/JohnLaTwC/status/835149808817991680
|
|
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
|
|
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
|
|
date: 2023-02-15
|
|
modified: 2024-03-05
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1027
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\certutil.exe'
|
|
- OriginalFileName: 'CertUtil.exe'
|
|
selection_cli:
|
|
CommandLine|contains|windash:
|
|
- '-decode ' # Decode Base64
|
|
- '-decodehex ' # Decode Hex
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|