Suspicious Execution of CertOC

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

CertOC.exe is a command line utility program that is provided by Microsoft Windows for configuring and managing certificate related settings on Windows systems.

Adversaries may expolit the certOC.exe to install certificates to load the target DLL (Dynamic Link Library) file.

Impact:

It can impact the organizations in the following ways:

• Unauthorized installation of certificates
• Unauthorized manipulation of certificates
• Provide cryptographic parameters to bypass security controls

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005- Defense Evasion

Techniques: T1218- System Binary Proxy Execution

Criteria:

( (Original file name contains certOC ) AND ( Command line contains "loadDLL" OR Command line contains "GetCACaps" ) )

Attackers may use CertOC.exe to communicate with Certificate Services in Windows systems to perform malicious certificate management activities such as certificate installation.

The "loadDLL" command is used to load malicious DLL files into CertOC.exe.

"GetCACaps" could be used by attackers to collect information about Certificate Authority present in the victim's environment.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a suspicious CertOC command has being executed. This enables you to put strict access control measures in place.

Known false positives: This event may be generated by administrators for certification management tasks such as installing, updating, or removing digital certificates on Windows.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Deploy Access Controls: Implement access controls and permissions to restrict the execution of CertOC by unauthorized users.