CertUtil Downloading Malicious Binaries
Detects usage of certutil to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: CertUtil Downloading Malicious Binaries
2id: b7bfe106-4c22-4ced-82da-b12c39bef679
3status: experimental
4description: Detects usage of certutil to download malicious code. Inspired by the
5 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\certutil.exe'
19 CommandLine|contains|all:
20 - 'urlcache'
21 - 'split'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high```
References
-
Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.
Read More
Related rules
- BITSAdmin Downloading Malicious Binaries
- Executable from Webdav
- Remote File Copy
- Potential Remote Desktop Connection to Non-Domain Host
- Suspicious LDAP-Attributes Used