File Encoded To Base64 Via Certutil.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
Share on: linkedin copy

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

Sigma rule (View on GitHub)

 1title: File Encoded To Base64 Via Certutil.EXE
 2id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
 3status: test
 4description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 7    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 8    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
10date: 2019-02-24
11modified: 2024-03-05
12tags:
13    - attack.defense-evasion
14    - attack.t1027
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\certutil.exe'
21        - OriginalFileName: 'CertUtil.exe'
22    selection_cli:
23        CommandLine|contains|windash: '-encode'
24    condition: all of selection_*
25falsepositives:
26    - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
27level: medium

References

  • certutil

    Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components.


    Read More

  • New BabyShark Malware Targets U.S. National Security Think Tanks

    In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.


    Read More

  • Certutil on LOLBAS

    Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top