security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious CertUtil Commands (#1564)

Browse Source 
(cherry picked from commit ab521f7c4f)
This commit is contained in:
Austin Songer
2021-11-17 14:41:07 -06:00
committed by github-actions[bot]
parent 791c8f9864
commit cb85a35e7a
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_suspicious_certutil_commands.toml
+4 -3
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/05/06"
updated_date = "2021/10/15"
[rule]
author = ["Elastic"]
author = ["Elastic", "Austin Songer"]
description = """
Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of
Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or
@@ -31,7 +31,7 @@ type = "eql"
query = '''
process where event.type == "start" and
(process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and
process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex")
process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX")
'''
@@ -47,3 +47,4 @@ name = "Deobfuscate/Decode Files or Information"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
name = "Defense Evasion"