Detectionmediumtest

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon May 16Updated Wed Oct 1870ad0861-d1fe-491c-a45f-fa48148a300dwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-GetCACAPS'
            - 'http'
    condition: all of selection*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1105 · Ingress Tool Transfer

Related Rules

SimilarDetectionhigh

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

70ad0861-d1fe-491c-a45f-fa48148a300d

Status

test

Level

medium

Type

Detection

Created

Mon May 16

Modified

Wed Oct 18

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_certoc_download.yml

Raw Tags

attack.command-and-controlattack.t1105

View on GitHub