SigmaHQ/rules/windows/sysmon/sysmon_susp_certutil_command.yml

title: Suspicious Certutil Command
status: experimental
description: Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
author:
    - Florian Roth
    - juju4
reference: 
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://twitter.com/subTee/status/888102593838362624
    - https://twitter.com/subTee/status/888071631528235010
    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine: 
            - '*\certutil.exe * -decode *'
            - '*\certutil.exe * -decodehex *'
            - '*\certutil.exe *-urlcache* http*'
            - '*\certutil.exe *-urlcache* ftp*'
            - '*\certutil.exe *-URL*'
            - '*\certutil.exe *-ping*'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high
certutil detections (renamed, extended) see https://twitter.com/subTee/status/888102593838362624 2017-07-20 18:38:10 +00:00			`title: Suspicious Certutil Command`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`status: experimental`
certutil detections (renamed, extended) see https://twitter.com/subTee/status/888102593838362624 2017-07-20 18:38:10 +00:00			`description: Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`author:`
			`- Florian Roth`
			`- juju4`
certutil file download - more generic approach 2017-07-20 18:48:47 +00:00			`reference:`
			`- https://twitter.com/JohnLaTwC/status/835149808817991680`
			`- https://twitter.com/subTee/status/888102593838362624`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`- https://twitter.com/subTee/status/888071631528235010`
			`- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/`
			`- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`detection:`
			`selection:`
			`EventID: 1`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`CommandLine:`
Improved certutil.exe rules 2017-03-27 20:30:26 +00:00			`- '\certutil.exe -decode *'`
			`- '\certutil.exe -decodehex *'`
Corrected error in certutil rules (-f means force overwrite, not file) > the -urlcache is the relevant command 2017-07-20 18:54:55 +00:00			`- '\certutil.exe -urlcache* http*'`
			`- '\certutil.exe -urlcache* ftp*'`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`- '\certutil.exe -URL*'`
			`- '\certutil.exe -ping*'`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`condition: selection`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`falsepositives:`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`- False positives depend on scripts and administrative tools used in the monitored environment`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`level: high`