sigmamediumHunting

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

MITRE ATT&CK

command-and-control

Detection Query

selection_img:
  - Image|endswith: \certoc.exe
  - OriginalFileName: CertOC.exe
selection_cli:
  CommandLine|contains|all:
    - -GetCACAPS
    - http
condition: all of selection*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-05-16

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

Tags

attack.command-and-controlattack.t1105

Raw Content

title: File Download via CertOC.EXE
id: 70ad0861-d1fe-491c-a45f-fa48148a300d
related:
    - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
      type: similar
status: test
description: Detects when a user downloads a file by using CertOC.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-10-18
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-GetCACAPS'
            - 'http'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium