SigmaHQ/rules/windows/process_creation/win_susp_certutil_encode.yml

title: Certutil Encode
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: experimental
description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/02/24
modified: 2020/11/28
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        CommandLine|contains|all:
            - '-f'
            - '-encode'
    condition: selection
falsepositives:
    - unknown
level: medium
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`title: Certutil Encode`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`status: experimental`
			`description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil`
			`- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/`
Update win_susp_certutil_encode.yml 2020-11-28 11:31:40 +00:00			`author: Florian Roth, Jonhnathan Ribeiro, oscd.community`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`date: 2019/02/24`
Update win_susp_certutil_encode.yml 2020-11-28 11:31:40 +00:00			`modified: 2020/11/28`
att&ck tags review: windows/process_creation part 6 2020-09-05 17:35:21 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1027`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
Update win_susp_certutil_encode.yml 2020-11-28 11:31:40 +00:00			`Image\|endswith: '\certutil.exe'`
Update detection logic 2020-11-20 05:23:18 +00:00			`CommandLine\|contains\|all:`
			`- '-f'`
			`- '-encode'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- unknown`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`level: medium`