SigmaHQ/rules/windows/sysmon/sysmon_susp_certutil_command.yml

---
action: global
title: Suspicious Certutil Command
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
author: Florian Roth, juju4
modified: 2019/01/22
references:
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://twitter.com/subTee/status/888102593838362624
    - https://twitter.com/subTee/status/888071631528235010
    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
    - https://twitter.com/egre55/status/1087685529016193025
detection:
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
tags:
    - attack.defense_evasion
    - attack.t1140
    - attack.s0189
    - attack.g0007
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine: 
            - '*certutil * -decode *'
            - '*certutil * -decodehex *'
            - '* -urlcache * http*'
            - '* -urlcache * ftp*'
            - '* -verifyctl * http*'
            - '* -verifyctl * ftp*'
            - '*certutil *-URL*'
            - '*certutil *-ping*'
            - '*certutil.exe * -decode *'
            - '*certutil.exe * -decodehex *'
            - '*certutil.exe *-URL*'
            - '*certutil.exe *-ping*'
---
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
        ProcessCommandLine: 
            - '*certutil * -decode *'
            - '*certutil * -decodehex *'
            - '* -urlcache * http*'
            - '* -urlcache * ftp*'
            - '* -verifyctl * http*'
            - '* -verifyctl * ftp*'
            - '*certutil *-URL*'
            - '*certutil *-ping*'
            - '*certutil.exe * -decode *'
            - '*certutil.exe * -decodehex *'
            - '*certutil.exe *-URL*'
            - '*certutil.exe *-ping*'
Bugfix: wrong field for 4688 process creation events 2018-12-11 15:10:15 +00:00			`---`
			`action: global`
certutil detections (renamed, extended) see https://twitter.com/subTee/status/888102593838362624 2017-07-20 18:38:10 +00:00			`title: Suspicious Certutil Command`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`status: experimental`
Fixed typo 2018-07-09 18:32:16 +00:00			`description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility`
Fixed bugs 2018-06-27 07:20:20 +00:00			`author: Florian Roth, juju4`
rule: extended certutil rule to include verifyctl and allows renamed certutil https://twitter.com/egre55/status/1087685529016193025 2019-01-22 15:20:06 +00:00			`modified: 2019/01/22`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
certutil file download - more generic approach 2017-07-20 18:48:47 +00:00			`- https://twitter.com/JohnLaTwC/status/835149808817991680`
			`- https://twitter.com/subTee/status/888102593838362624`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`- https://twitter.com/subTee/status/888071631528235010`
			`- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/`
			`- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/`
rule: extended certutil rule to include verifyctl and allows renamed certutil https://twitter.com/egre55/status/1087685529016193025 2019-01-22 15:20:06 +00:00			`- https://twitter.com/egre55/status/1087685529016193025`
Bugfix: wrong field for 4688 process creation events 2018-12-11 15:10:15 +00:00			`detection:`
			`condition: selection`
			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1140`
			`- attack.s0189`
			`- attack.g0007`
			`falsepositives:`
			`- False positives depend on scripts and administrative tools used in the monitored environment`
			`level: high`
			`---`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
Rule: Certutil Decode in AppData 2017-03-02 10:28:34 +00:00			`detection:`
			`selection:`
			`EventID: 1`
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-01 22:04:28 +00:00			`CommandLine:`
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command Below is an example of a test - the command line does not include the path nor the .exe. I think this comes from the initial detection on the Image path and the later switch to command line. We could also use both the Image path and the Command Line. Message : Process Create: Image: C:\Windows\SysWOW64\certutil.exe CommandLine: certutil xx -decode xxx Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" 2018-09-23 18:28:05 +00:00			`- 'certutil -decode *'`
			`- 'certutil -decodehex *'`
rule: extended certutil rule to include verifyctl and allows renamed certutil https://twitter.com/egre55/status/1087685529016193025 2019-01-22 15:20:06 +00:00			`- '* -urlcache * http*'`
			`- '* -urlcache * ftp*'`
			`- '* -verifyctl * http*'`
			`- '* -verifyctl * ftp*'`
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command Below is an example of a test - the command line does not include the path nor the .exe. I think this comes from the initial detection on the Image path and the later switch to command line. We could also use both the Image path and the Command Line. Message : Process Create: Image: C:\Windows\SysWOW64\certutil.exe CommandLine: certutil xx -decode xxx Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" 2018-09-23 18:28:05 +00:00			`- 'certutil -URL*'`
			`- 'certutil -ping*'`
Include cases in which certutil.exe is used 2018-09-23 18:57:34 +00:00			`- 'certutil.exe -decode *'`
			`- 'certutil.exe -decodehex *'`
			`- 'certutil.exe -URL*'`
			`- 'certutil.exe -ping*'`
Bugfix: wrong field for 4688 process creation events 2018-12-11 15:10:15 +00:00			`---`
			`logsource:`
			`product: windows`
			`service: security`
			`definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'`
			`detection:`
			`selection:`
			`EventID: 4688`
			`ProcessCommandLine:`
			`- 'certutil -decode *'`
			`- 'certutil -decodehex *'`
rule: extended certutil rule to include verifyctl and allows renamed certutil https://twitter.com/egre55/status/1087685529016193025 2019-01-22 15:20:06 +00:00			`- '* -urlcache * http*'`
			`- '* -urlcache * ftp*'`
			`- '* -verifyctl * http*'`
			`- '* -verifyctl * ftp*'`
Bugfix: wrong field for 4688 process creation events 2018-12-11 15:10:15 +00:00			`- 'certutil -URL*'`
			`- 'certutil -ping*'`
			`- 'certutil.exe -decode *'`
			`- 'certutil.exe -decodehex *'`
			`- 'certutil.exe -URL*'`
			`- 'certutil.exe -ping*'`