File In Suspicious Location Encoded To Base64 Via Certutil.EXE

calendar Mar 11, 2024 · attack.defense_evasion attack.t1027  ·
Share on: linkedin copy

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Sigma rule (View on GitHub)

 1title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
 2id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
 3related:
 4    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
 5      type: derived
 6status: experimental
 7description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
 8references:
 9    - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
10    - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
11    - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
12    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/05/15
15modified: 2024/03/05
16tags:
17    - attack.defense_evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\certutil.exe'
25        - OriginalFileName: 'CertUtil.exe'
26    selection_cli:
27        CommandLine|contains|windash: '-encode'
28    selection_extension:
29        CommandLine|contains:
30            # Note: Add more suspicious locations to increase coverage
31            - '\AppData\Roaming\'
32            - '\Desktop\'
33            - '\Local\Temp\'
34            - '\PerfLogs\'
35            - '\Users\Public\'
36            - '\Windows\Temp\'
37            - '$Recycle.Bin'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top