Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
7 type: similar
8status: test
9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://twitter.com/_JohnHammond/status/1708910264261980634
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023/02/15
19tags:
20 - attack.defense_evasion
21 - attack.t1027
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\certutil.exe'
28 - OriginalFileName: 'CertUtil.exe'
29 selection_flags:
30 CommandLine|contains:
31 - 'urlcache '
32 - 'verifyctl '
33 selection_http:
34 CommandLine|contains:
35 - '://1'
36 - '://2'
37 - '://3'
38 - '://4'
39 - '://5'
40 - '://6'
41 - '://7'
42 - '://8'
43 - '://9'
44 # filter_local_ips:
45 # # Note: Uncomment this filter if you want to exclude local IPs
46 # CommandLine|contains:
47 # - '://10.' # 10.0.0.0/8
48 # - '://192.168.' # 192.168.0.0/16
49 # - '://172.16.' # 172.16.0.0/12
50 # - '://172.17.'
51 # - '://172.18.'
52 # - '://172.19.'
53 # - '://172.20.'
54 # - '://172.21.'
55 # - '://172.22.'
56 # - '://172.23.'
57 # - '://172.24.'
58 # - '://172.25.'
59 # - '://172.26.'
60 # - '://172.27.'
61 # - '://172.28.'
62 # - '://172.29.'
63 # - '://172.30.'
64 # - '://172.31.'
65 # - '://127.' # 127.0.0.0/8
66 # - '://169.254.' # 169.254.0.0/16
67 filter_main_seven_zip:
68 CommandLine|contains: '://7-' # For https://7-zip.org/
69 condition: all of selection_* and not 1 of filter_main_*
70falsepositives:
71 - Unknown
72level: high
References
-
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.
Read More -
-
-
Download and save 7zip to disk in the current folder. certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Use caseDownload file from Internet Privileges requiredUser Operati...
Read More -
Related rules
- Invoke-Obfuscation CLIP+ Launcher - System
- PUA - Potential PE Metadata Tamper Using Rcedit
- Suspicious Execution From GUID Like Folder Names
- Suspicious SYSTEM User Process Creation
- Potential PowerShell Obfuscation Using Alias Cmdlets