2017-07-20 18:38:10 +00:00
title : Suspicious Certutil Command
2017-03-02 10:28:34 +00:00
status : experimental
2017-07-20 18:38:10 +00:00
description : Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
2017-03-02 10:28:34 +00:00
author : Florian Roth
2017-07-20 18:48:47 +00:00
reference :
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
2017-03-02 10:28:34 +00:00
logsource :
2017-03-13 08:23:08 +00:00
product : windows
service : sysmon
2017-03-02 10:28:34 +00:00
detection :
selection :
EventID : 1
2017-03-27 20:30:26 +00:00
Image :
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
2017-07-20 18:48:47 +00:00
- '*\certutil.exe -urlcache -split -f'
- '*\certutil.exe *-f http*'
- '*\certutil.exe *-f ftp*'
2017-03-02 10:28:34 +00:00
condition : selection
falsepositives :
- unknown
level : high
