Suspicious File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
Sigma rule (View on GitHub)
1title: Suspicious File Encoded To Base64 Via Certutil.EXE
2id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
3related:
4 - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
5 type: derived
6status: experimental
7description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
8references:
9 - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
10 - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
11 - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
12 - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/05/15
15modified: 2024/03/05
16tags:
17 - attack.defense_evasion
18 - attack.t1027
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\certutil.exe'
25 - OriginalFileName: 'CertUtil.exe'
26 selection_cli:
27 CommandLine|contains|windash: '-encode'
28 selection_extension:
29 CommandLine|contains:
30 - '.acl'
31 - '.bat'
32 - '.doc'
33 - '.gif'
34 - '.jpeg'
35 - '.jpg'
36 - '.mp3'
37 - '.pdf'
38 - '.png'
39 - '.ppt'
40 - '.tmp'
41 - '.xls'
42 - '.xml'
43 condition: all of selection_*
44falsepositives:
45 - Unknown
46level: high
References
Related rules
- Certificate Exported Via Certutil.EXE
- File Decoded From Base64/Hex Via Certutil.EXE
- File Encoded To Base64 Via Certutil.EXE
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE