mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
18 lines
573 B
YAML
18 lines
573 B
YAML
title: Deobfuscate or Decode Files
|
|
description: Detect certutil encoding and decoding of executables,
|
|
or use of renamed certutil.exe for bypassing detections.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1140
|
|
subtechnique:
|
|
operating_system: windows
|
|
query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
|
|
( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
|
|
OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
|
|
false_positives:
|
|
tags:
|
|
|