File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

Sigma rule (View on GitHub)

 1title: File Download From IP Based URL Via CertOC.EXE
 2id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
 3related:
 4    - id: 70ad0861-d1fe-491c-a45f-fa48148a300d
 5      type: similar
 6status: test
 7description: Detects when a user downloads a file from an IP based URL using CertOC.exe
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-10-18
12tags:
13    - attack.command-and-control
14    - attack.execution
15    - attack.t1105
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\certoc.exe'
22        - OriginalFileName: 'CertOC.exe'
23    selection_ip:
24        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
25    selection_cli:
26        CommandLine|contains: '-GetCACAPS'
27    condition: all of selection*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top