Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
7 type: similar
8status: experimental
9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://twitter.com/_JohnHammond/status/1708910264261980634
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023/02/15
19tags:
20 - attack.defense_evasion
21 - attack.t1027
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\certutil.exe'
28 - OriginalFileName: 'CertUtil.exe'
29 selection_flags:
30 CommandLine|contains:
31 - 'urlcache '
32 - 'verifyctl '
33 selection_http:
34 CommandLine|contains:
35 - '://1'
36 - '://2'
37 - '://3'
38 - '://4'
39 - '://5'
40 - '://6'
41 - '://7'
42 - '://8'
43 - '://9'
44 # filter_local_ips:
45 # # Note: Uncomment this filter if you want to exclude local IPs
46 # CommandLine|contains:
47 # - '://10.' # 10.0.0.0/8
48 # - '://192.168.' # 192.168.0.0/16
49 # - '://172.16.' # 172.16.0.0/12
50 # - '://172.17.'
51 # - '://172.18.'
52 # - '://172.19.'
53 # - '://172.20.'
54 # - '://172.21.'
55 # - '://172.22.'
56 # - '://172.23.'
57 # - '://172.24.'
58 # - '://172.25.'
59 # - '://172.26.'
60 # - '://172.27.'
61 # - '://172.28.'
62 # - '://172.29.'
63 # - '://172.30.'
64 # - '://172.31.'
65 # - '://127.' # 127.0.0.0/8
66 # - '://169.254.' # 169.254.0.0/16
67 filter_main_seven_zip:
68 CommandLine|contains: '://7-' # For https://7-zip.org/
69 condition: all of selection_* and not 1 of filter_main_*
70falsepositives:
71 - Unknown
72level: high
References
-
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.
Read More -
-
-
.. /Certutil.exe Windows binary used for handling certificates Paths: C:\Windows\System32\certutil.exe C:\Windows\SysWOW64\certutil.exe Resources: Download Download and save 7zip to disk in the cur...
Read More -
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation CLIP+ Launcher - Security