Execution via Signed Binaryedit

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to live off the land and execute malicious files that could bypass application whitelisting and signature validation.

Rule indices:

  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Potential false positivesedit

Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.

Rule queryedit

event.code:1 and http and (process.name:certutil.exe or
process.name:msiexec.exe)

Threat mappingedit

Framework: MITRE ATT&CKTM