File Download via CertOC.EXE
Detects when a user downloads a file by using CertOC.exe
Sigma rule (View on GitHub)
1title: File Download via CertOC.EXE
2id: 70ad0861-d1fe-491c-a45f-fa48148a300d
3related:
4 - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
5 type: similar
6status: test
7description: Detects when a user downloads a file by using CertOC.exe
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/05/16
12modified: 2023/10/18
13tags:
14 - attack.command_and_control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\certoc.exe'
22 - OriginalFileName: 'CertOC.exe'
23 selection_cli:
24 CommandLine|contains|all:
25 - '-GetCACAPS'
26 - 'http'
27 condition: all of selection*
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- File Download From IP Based URL Via CertOC.EXE
- Suspicious Download from Office Domain
- Curl Usage on Linux
- Finger.exe Suspicious Invocation