valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
078eaa1180
SigmaHQ/rules/windows/sysmon/sysmon_susp_certutil_decode.yml

19 lines
517 B
YAML
Raw Normal View History

Rule: Certutil Decode in AppData
2017-03-02 10:28:34 +00:00
title: Certutil Decode in AppData
status: experimental
Broader definition certutil.exe rule
2017-03-20 21:06:48 +00:00
description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
Rule: Certutil Decode in AppData
2017-03-02 10:28:34 +00:00
author: Florian Roth
reference: https://twitter.com/JohnLaTwC/status/835149808817991680
logsource:
Sysmon as 'service' of product 'windows'
2017-03-13 08:23:08 +00:00
product: windows
service: sysmon
Rule: Certutil Decode in AppData
2017-03-02 10:28:34 +00:00
detection:
selection:
EventID: 1
Broader definition certutil.exe rule
2017-03-20 21:06:48 +00:00
Image: '*\certutil.exe -decode '
Rule: Certutil Decode in AppData
2017-03-02 10:28:34 +00:00
condition: selection
falsepositives:
- unknown
level: high
Reference in New Issue Copy Permalink