From 2ad13eac069401993854168eb4c3c2f43f82ce32 Mon Sep 17 00:00:00 2001
From: LeamanB <L233Brown@gmail.com>
Date: Sun, 13 Jul 2025 17:55:02 -0500
Subject: [PATCH] Add Sysmon rule for certutil abuse detection (T1105)

---
 1_process_creation/include_certutil_abuse.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 1_process_creation/include_certutil_abuse.xml

diff --git a/1_process_creation/include_certutil_abuse.xml b/1_process_creation/include_certutil_abuse.xml
new file mode 100644
index 00000000..ffe25780
--- /dev/null
+++ b/1_process_creation/include_certutil_abuse.xml
@@ -0,0 +1,10 @@
+<RuleGroup name="Certutil Abuse" groupRelation="or">
+  <ProcessCreate onmatch="include">
+    <CommandLine condition="contains">certutil</CommandLine>
+    <CommandLine condition="contains">-urlcache</CommandLine>
+  </ProcessCreate>
+  <ProcessCreate onmatch="include">
+    <CommandLine condition="contains">certutil</CommandLine>
+    <CommandLine condition="contains">-decode</CommandLine>
+  </ProcessCreate>
+</RuleGroup>