← Back to Explore
sigmamediumHunting
DLL Loaded via CertOC.EXE
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
Detection Query
selection_img:
- Image|endswith: \certoc.exe
- OriginalFileName: CertOC.exe
selection_cli:
CommandLine|contains|windash: " -LoadDLL "
condition: all of selection_*
Author
Austin Songer @austinsonger
Created
2021-10-23
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: DLL Loaded via CertOC.EXE
id: 242301bc-f92f-4476-8718-78004a6efd9f
related:
- id: 84232095-ecca-4015-b0d7-7726507ee793
type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Austin Songer @austinsonger
date: 2021-10-23
modified: 2024-03-05
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
condition: all of selection_*
falsepositives:
- Unknown
level: medium