From cb85a35e7a95fed4c5141c487cf63b2b29a4d27d Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Wed, 17 Nov 2021 14:41:07 -0600
Subject: [PATCH] [Rule Tuning] Suspicious CertUtil Commands (#1564)

(cherry picked from commit ab521f7c4fac8e2fa6346074551178f577356623)
---
 .../defense_evasion_suspicious_certutil_commands.toml      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml
index a9c29f458..561c906a5 100644
--- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml
+++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/05/06"
+updated_date = "2021/10/15"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Austin Songer"]
 description = """
 Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of 
 Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or 
@@ -31,7 +31,7 @@ type = "eql"
 query = '''
 process where event.type == "start" and
   (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and 
-  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex")
+  process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX")
 '''
 
 
@@ -47,3 +47,4 @@ name = "Deobfuscate/Decode Files or Information"
 id = "TA0005"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Defense Evasion"
+