Run CertUtil from suspicious location

 1title: Run CertUtil from suspicious location
 2status: experimental
 3description: Run CertUtil from suspicious location
 4author: Joe Security
 5date: 2020-08-11
 6id: 200084
 7threatname:
 8behaviorgroup: 20
 9classification: 4
10mitreattack:
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*c:\programdata\curl.com /urlcache /f http*'
19            - '*programdata\\*.exe -urlcache -f -split http*'
20    condition: selection
21level: critical