Suspicious Download Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files.

Sigma rule (View on GitHub)

 1title: Suspicious Download Via Certutil.EXE
 2id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
 3related:
 4    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
 5      type: similar
 6status: test
 7description: Detects the execution of certutil with certain flags that allow the utility to download files.
 8references:
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
10    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
11    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
12    - https://twitter.com/egre55/status/1087685529016193025
13    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
14author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
15date: 2023-02-15
16tags:
17    - attack.defense-evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\certutil.exe'
25        - OriginalFileName: 'CertUtil.exe'
26    selection_flags:
27        CommandLine|contains:
28            - 'urlcache '
29            - 'verifyctl '
30    selection_http:
31        CommandLine|contains: 'http'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

Related rules

to-top