File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
Sigma rule (View on GitHub)
1title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
2id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
3related:
4 - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
5 type: derived
6status: experimental
7description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
8references:
9 - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
10 - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
11 - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
12 - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-05-15
15modified: 2024-03-05
16tags:
17 - attack.defense-evasion
18 - attack.t1027
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\certutil.exe'
25 - OriginalFileName: 'CertUtil.exe'
26 selection_cli:
27 CommandLine|contains|windash: '-encode'
28 selection_extension:
29 CommandLine|contains:
30 # Note: Add more suspicious locations to increase coverage
31 - '\AppData\Roaming\'
32 - '\Desktop\'
33 - '\Local\Temp\'
34 - '\PerfLogs\'
35 - '\Users\Public\'
36 - '\Windows\Temp\'
37 - '$Recycle.Bin'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: high
References
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs