sigmahighHunting

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

MITRE ATT&CK

command-and-controlexecution

Detection Query

selection_img:
  - Image|endswith: \certoc.exe
  - OriginalFileName: CertOC.exe
selection_ip:
  CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
selection_cli:
  CommandLine|contains: -GetCACAPS
condition: all of selection*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-10-18

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://lolbas-project.github.io/lolbas/Binaries/Certoc/

Tags

attack.command-and-controlattack.executionattack.t1105

Raw Content

title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
    - id: 70ad0861-d1fe-491c-a45f-fa48148a300d
      type: similar
status: test
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_cli:
        CommandLine|contains: '-GetCACAPS'
    condition: all of selection*
falsepositives:
    - Unknown
level: high