diff --git a/yml/OSBinaries/certoc.yml b/yml/OSBinaries/certoc.yml new file mode 100644 index 0000000..54e5fd1 --- /dev/null +++ b/yml/OSBinaries/certoc.yml @@ -0,0 +1,28 @@ +--- +Name: CertOC.exe +Description: Used for installing certificates +Author: 'Ensar Samil' +Created: '2021-10-07' +Commands: + - Command: certoc.exe -LoadDLL "C:\test\calc.dll" + Description: Loads the target DLL file + Usecase: Execute code within DLL file + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\certoc.exe + - Path: c:\windows\syswow64\certoc.exe +Code_Sample: + - Code: +Detection: + - IOC: Process creation with given parameter + - IOC: Unsigned DLL load via certoc.exe +Resources: + - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +Acknowledgement: + - Person: Ensar Samil + Handle: '@sblmsrsn' +---