[Rule Tuning] Suspicious CertUtil Commands (#1180)

* update name to Suspicious CertUtil Commands
* update description, query, and filename

rules/windows/defense_evasion_suspicious_certutil_commands.toml

@@ -1,20 +1,26 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/04/14"
+updated_date = "2021/05/06"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of
-Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and
-control or exfiltration.
+Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of 
+Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or 
+data exfiltration.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Encoding or Decoding Files via CertUtil"
+name = "Suspicious CertUtil Commands"
+references = [
+    "https://twitter.com/Moriarty_Meng/status/984380793383370752",
+    "https://twitter.com/egre55/status/1087685529016193025",
+    "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx",
+    "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
+]
 risk_score = 47
 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf"
 severity = "medium"
@@ -25,7 +31,7 @@ type = "eql"
 query = '''
 process where event.type == "start" and
   (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and 
-  process.args : ("?decode", "?encode")
+  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex")
 '''