Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
2id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
7 type: similar
8status: test
9description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
10references:
11 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://twitter.com/_JohnHammond/status/1708910264261980634
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023-02-15
19tags:
20 - attack.defense-evasion
21 - attack.t1027
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\certutil.exe'
28 - OriginalFileName: 'CertUtil.exe'
29 selection_flags:
30 CommandLine|contains:
31 - 'urlcache '
32 - 'verifyctl '
33 selection_http:
34 CommandLine|contains:
35 - '://1'
36 - '://2'
37 - '://3'
38 - '://4'
39 - '://5'
40 - '://6'
41 - '://7'
42 - '://8'
43 - '://9'
44 # filter_local_ips:
45 # # Note: Uncomment this filter if you want to exclude local IPs
46 # CommandLine|contains:
47 # - '://10.' # 10.0.0.0/8
48 # - '://192.168.' # 192.168.0.0/16
49 # - '://172.16.' # 172.16.0.0/12
50 # - '://172.17.'
51 # - '://172.18.'
52 # - '://172.19.'
53 # - '://172.20.'
54 # - '://172.21.'
55 # - '://172.22.'
56 # - '://172.23.'
57 # - '://172.24.'
58 # - '://172.25.'
59 # - '://172.26.'
60 # - '://172.27.'
61 # - '://172.28.'
62 # - '://172.29.'
63 # - '://172.30.'
64 # - '://172.31.'
65 # - '://127.' # 127.0.0.0/8
66 # - '://169.254.' # 169.254.0.0/16
67 filter_main_seven_zip:
68 CommandLine|contains: '://7-' # For https://7-zip.org/
69 condition: all of selection_* and not 1 of filter_main_*
70falsepositives:
71 - Unknown
72level: high
References
-
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.
Read More -
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs