From 6b6fd3fd623613ba1b1d3080de6492f07ce9d43b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Thu, 7 Oct 2021 13:31:45 +0300 Subject: [PATCH] Create certoc.yml --- yml/OSBinaries/certoc.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/certoc.yml diff --git a/yml/OSBinaries/certoc.yml b/yml/OSBinaries/certoc.yml new file mode 100644 index 0000000..54e5fd1 --- /dev/null +++ b/yml/OSBinaries/certoc.yml @@ -0,0 +1,28 @@ +--- +Name: CertOC.exe +Description: Used for installing certificates +Author: 'Ensar Samil' +Created: '2021-10-07' +Commands: + - Command: certoc.exe -LoadDLL "C:\test\calc.dll" + Description: Loads the target DLL file + Usecase: Execute code within DLL file + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\certoc.exe + - Path: c:\windows\syswow64\certoc.exe +Code_Sample: + - Code: +Detection: + - IOC: Process creation with given parameter + - IOC: Unsigned DLL load via certoc.exe +Resources: + - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +Acknowledgement: + - Person: Ensar Samil + Handle: '@sblmsrsn' +---