SigmaHQ/rules/windows/sysmon/sysmon_susp_certutil_decode.yml

title: Certutil Decode in AppData
status: experimental
description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
author: Florian Roth
reference: https://twitter.com/JohnLaTwC/status/835149808817991680
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image: 
            - '*\certutil.exe * -decode *'
            - '*\certutil.exe * -decodehex *'
    condition: selection
falsepositives:
    - unknown
level: high
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`title: Certutil Decode in AppData`
			`status: experimental`
Broader definition certutil.exe rule 2017-03-20 21:06:48 +00:00			`description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`author: Florian Roth`
			`reference: https://twitter.com/JohnLaTwC/status/835149808817991680`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`detection:`
			`selection:`
			`EventID: 1`
Improved certutil.exe rules 2017-03-27 20:30:26 +00:00			`Image:`
			`- '\certutil.exe -decode *'`
			`- '\certutil.exe -decodehex *'`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: high`