Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 18b86f6dea-0b2f-41f5-bdcc-a057bd19cd6awindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_cli:
        CommandLine|contains: '-GetCACAPS'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
Status
test
Level
high
Type
Detection
Created
Wed Oct 18
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml
Raw Tags
attack.command-and-controlattack.executionattack.t1105
View on GitHub