public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-25 22:39:27 +01:00
Code Issues Projects Releases Wiki Activity

Update Certutil

Browse Source
This commit is contained in:
leo1-1 2020-10-26 08:57:42 +02:00 committed by GitHub
parent 2166960d4e
commit 76d79ea479
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
yml/OSBinaries/Certutil.yml
View File

@ -44,11 +44,19 @@ Commands:
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe
Code_Sample:
- Code:
- Code:546573745f62795f4c696f72(example of the encoded hexadecimal file)
Detection:
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
@ -64,4 +72,5 @@ Acknowledgement:
Handle: '@Moriarty_Meng'
- Person: egre55
Handle: '@egre55'
- Person: Lior Adar
---