FalconFriday: Detecting suspicious code compilation and Certutil

Post-Image

FalconFriday: Detecting suspicious code compilation and Certutil

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part three.

Today’s content:

-> Detecting suspicious code compilation. -> Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests (PR) if you have improvements which can benefit the community. We will make sure to cover your PRs in the blog following your PR.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-certutil-and-suspicious-code-compilation-0xff02-cfe8fb5e159e

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday