Certreq Downloading Malicious Binaries
Just like certutil, certreq can also be abused by adversaries to download and upload data. The following analytic will look for the execution of certreq.exe with command options that suggest a file is being downloaded. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Certreq Downloading Malicious Binaries
2id: da4eca65-03c5-497a-a8f0-d4b0534a5c53
3status: experimental
4description: |
5 Just like certutil, certreq can also be abused by adversaries to download and
6 upload data. The following analytic will look for the execution of certreq.exe
7 with command options that suggest a file is being downloaded. Part of the
8 RedCanary 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.command_and_control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\certreq.exe'
22 CommandLine|contains:
23 - '-post'
24 - '-config'
25 - 'http'
26 - 'get'
27 condition: selection
28falsepositives:
29 - Unknown
30level: low```
References
-
Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.
Read More
Related rules
- BITSAdmin Downloading Malicious Binaries
- CertUtil Downloading Malicious Binaries
- Replace.exe Usage
- Script Initiated Connection to Non-Local Network
- Curl Download And Execute Combination