Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Feb 15Updated Tue Mar 0584232095-ecca-4015-b0d7-7726507ee793windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|windash: ' -LoadDLL '
    selection_paths:
        CommandLine|contains:
            - '\Appdata\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Users\Public\'
            - 'C:\Windows\Tasks\'
            - 'C:\Windows\Temp\'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
84232095-ecca-4015-b0d7-7726507ee793
Status
test
Level
high
Type
Detection
Created
Wed Feb 15
Modified
Tue Mar 05
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub