Suspicious Download Via Certutil.EXE

calendar Dec 3, 2025 · attack.defense-evasion attack.t1027 attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects the execution of certutil with certain flags that allow the utility to download files.

Sigma rule (View on GitHub)

 1title: Suspicious Download Via Certutil.EXE
 2id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
 3related:
 4    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
 5      type: similar
 6status: test
 7description: Detects the execution of certutil with certain flags that allow the utility to download files.
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
10    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
11    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
12    - https://twitter.com/egre55/status/1087685529016193025
13    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
14    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
15author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
16date: 2023-02-15
17modified: 2025-12-01
18tags:
19    - attack.defense-evasion
20    - attack.t1027
21    - attack.command-and-control
22    - attack.t1105
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith: '\certutil.exe'
29        - OriginalFileName: 'CertUtil.exe'
30    selection_flags:
31        CommandLine|contains:
32            - 'urlcache '
33            - 'verifyctl '
34            - 'URL '
35    selection_http:
36        CommandLine|contains: 'http'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: medium
41regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml

References

  • certutil

    Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components in Windows.


    Read More

  • An AgentTesla Sample Using VBA Macros and Certutil

    AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.


    Read More

  • Compromised Exchange server hosting cryptojacker targeting other Exchange servers

    An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Certutil on LOLBAS

    Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • certutil – one more GUI lolbin

    Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place ...


    Read More

Related rules

to-top