heroui logo

Proxy Execution via Appcert

Anvilogic Forge

View Source
Summary
The rule "Proxy Execution via Appcert" targets a specific method employed by threat actors to leverage legitimate tools, namely appcert.exe, to execute malicious payloads indirectly on Windows platforms. This detection focuses on monitoring for suspicious executions of the appcert utility, which is known for its role in verifying application compliance with Microsoft certification standards. The identification process involves querying for events related to process executions that occur over the past two hours. Notably, the rule filters for instances of appcert where the command line indicates an attempt to launch other binaries, excluding known setup command lines, thus enhancing the precision of the detection. The rule aligns with the technique T1127, highlighting the usage of trusted developer utilities for executing potentially malicious actions, constituting a form of defense evasion. Utilizing EDR logs, this detection aims to bolster security measures against unapproved execution tactics utilizing commonly accepted binaries in the Windows environment.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Application Log
  • User Account
ATT&CK Techniques
  • T1127
  • T1218
Created: 2024-02-09