File Decoded From Base64/Hex Via Certutil.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
Share on: linkedin copy

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

Sigma rule (View on GitHub)

 1title: File Decoded From Base64/Hex Via Certutil.EXE
 2id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
 3status: test
 4description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 7    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 8    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
 9    - https://twitter.com/JohnLaTwC/status/835149808817991680
10    - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
11    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
12author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
13date: 2023-02-15
14modified: 2024-03-05
15tags:
16    - attack.defense-evasion
17    - attack.t1027
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\certutil.exe'
24        - OriginalFileName: 'CertUtil.exe'
25    selection_cli:
26        CommandLine|contains|windash:
27            - '-decode ' # Decode Base64
28            - '-decodehex ' # Decode Hex
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

  • certutil

    Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components.


    Read More

  • New BabyShark Malware Targets U.S. National Security Think Tanks

    In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.


    Read More

  • Compromised Exchange server hosting cryptojacker targeting other Exchange servers

    An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit


    Read More

  • x.com


    Read More

  • Basic CRL checking with certutil

    Basic CRL checking with certutil Article 11/30/2006 I want to start this blog with a very basic topic: CRL checking. In the past we have documented a lot about CRL checking but I am still seeing th...


    Read More

  • Certutil on LOLBAS

    Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top