Suspicious Download Via Certutil.EXE

 1title: Suspicious Download Via Certutil.EXE
 2id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
 3related:
 4    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
 5      type: similar
 6status: test
 7description: Detects the execution of certutil with certain flags that allow the utility to download files.
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
10    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
11    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
12    - https://twitter.com/egre55/status/1087685529016193025
13    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
14author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
15date: 2023-02-15
16tags:
17    - attack.defense-evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\certutil.exe'
25        - OriginalFileName: 'CertUtil.exe'
26    selection_flags:
27        CommandLine|contains:
28            - 'urlcache '
29            - 'verifyctl '
30    selection_http:
31        CommandLine|contains: 'http'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

• certutil

  

  Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components.

  
  Read More

• An AgentTesla Sample Using VBA Macros and Certutil

  AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.

  
  Read More

• Compromised Exchange server hosting cryptojacker targeting other Exchange servers

  

  An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit

  
  Read More

• x.com

  
  Read More

• Certutil on LOLBAS

  

  Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• Base64 Encoded PowerShell Command Detected
• Certificate Exported Via Certutil.EXE
• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• Decode Base64 Encoded Text
• Decode Base64 Encoded Text -MacOs