cscli scenarios install sigmahq/proc_creation_win_certoc_download_direct_ip1type: trigger2name: sigmahq/proc_creation_win_certoc_download_direct_ip3description: |4 Detects when a user downloads a file from an IP based URL using CertOC.exe5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\certoc.exe' || evt.Parsed.OriginalFileName == 'CertOC.exe') && evt.Parsed.CommandLine matches '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' && evt.Parsed.CommandLine contains '-GetCACAPS')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t11051516 label: "File Download From IP Based URL Via CertOC.EXE"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324