mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 17:37:16 +00:00
@
20 lines
757 B
YAML
20 lines
757 B
YAML
title: Deobfuscate or Decode Files
|
|
description: This Atomic tests detections of certutil encoding and decoding of executables,
|
|
and the replication of certutil for bypassing detection of executable encoding.
|
|
Our query below will detected renamed certutil through matching of DisplayName,
|
|
as well as encoding or decoding of exe files.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: null
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1140
|
|
subtechnique: null
|
|
operating_system: windows
|
|
query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
|
|
( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
|
|
OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
|
|
false_positives: null
|
|
tags: null
|
|
|