Suspicious Download Via Certutil.EXE

calendar Feb 15, 2023 · attack.defense_evasion attack.t1027  ·
Share on: linkedin copy

Detects the execution of certutil with certain flags that allow the utility to download files.

Sigma rule (View on GitHub)

 1title: Suspicious Download Via Certutil.EXE
 2id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
 3related:
 4    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
 5      type: similar
 6status: test
 7description: Detects the execution of certutil with certain flags that allow the utility to download files.
 8references:
 9    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
10    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
11    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
12    - https://twitter.com/egre55/status/1087685529016193025
13    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
14author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
15date: 2023/02/15
16tags:
17    - attack.defense_evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\certutil.exe'
25        - OriginalFileName: 'CertUtil.exe'
26    selection_flags:
27        CommandLine|contains:
28            - 'urlcache '
29            - 'verifyctl '
30    selection_http:
31        CommandLine|contains: 'http'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

  • certutil

    Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components.


    Read More

  • An AgentTesla Sample Using VBA Macros and Certutil

    AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.


    Read More

  • Compromised Exchange server hosting cryptojacker targeting other Exchange servers

    An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Certutil | LOLBAS

    Download and save 7zip to disk in the current folder. certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Use caseDownload file from Internet Privileges requiredUser Operati...


    Read More

Related rules

to-top