From ee235baf2d238b13d6d7a8762562f12a6878e70e Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 20 Sep 2020 21:42:39 -0500
Subject: [PATCH] T1140 Certutil Obsc exec

---
 DefenseEvasion.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 0e825ed..4f4749e 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -116,6 +116,12 @@ Detects enabling of Guest account, adding Guest account to groups, as well as ch
 ### T1140 Deobfuscate/Decode Files or Information
 Atomics: [T1140](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md)
 
+This Atomic tests detections of certutil encoding and decoding of executables, and the replication of certutil for bypassing detection of executable encoding. Our query below will detected renamed certutil through matching of DisplayName, as well as encoding or decoding of exe files.
+
+```
+(TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)" OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
+```
+
 ### T1562.002 Disable Windows Event Logging
 Atomics: [T1562.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md)