--- action: global title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility author: Florian Roth, juju4, keepwatch modified: 2019/01/22 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ detection: condition: selection fields: - CommandLine - ParentCommandLine tags: - attack.defense_evasion - attack.t1140 - attack.t1105 - attack.s0189 - attack.g0007 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high --- logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: - '* -decode *' - '* /decode *' - '* -decodehex *' - '* /decodehex *' - '* -urlcache *' - '* /urlcache *' - '* -verifyctl *' - '* /verifyctl *' - '* -encode *' - '* /encode *' - '*certutil* -URL*' - '*certutil* /URL*' - '*certutil* -ping*' - '*certutil* /ping*' --- logsource: product: windows service: security definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 ProcessCommandLine: - '* -decode *' - '* /decode *' - '* -decodehex *' - '* /decodehex *' - '* -urlcache *' - '* /urlcache *' - '* -verifyctl *' - '* /verifyctl *' - '* -encode *' - '* /encode *' - '*certutil* -URL*' - '*certutil* /URL*' - '*certutil* -ping*' - '*certutil* /ping*'