Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
2id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
7 type: similar
8status: experimental
9description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
10references:
11 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14 - https://twitter.com/egre55/status/1087685529016193025
15 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023-02-15
19modified: 2024-08-22
20tags:
21 - attack.defense-evasion
22 - attack.t1027
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_img:
28 - Image|endswith: '\certutil.exe'
29 - OriginalFileName: 'CertUtil.exe'
30 selection_flags:
31 CommandLine|contains:
32 - 'urlcache '
33 - 'verifyctl '
34 selection_http:
35 CommandLine|contains:
36 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
37 - 'anonfiles.com'
38 - 'cdn.discordapp.com'
39 - 'ddns.net'
40 - 'dl.dropboxusercontent.com'
41 - 'ghostbin.co'
42 - 'glitch.me'
43 - 'gofile.io'
44 - 'hastebin.com'
45 - 'mediafire.com'
46 - 'mega.nz'
47 - 'onrender.com'
48 - 'pages.dev'
49 - 'paste.ee'
50 - 'pastebin.com'
51 - 'pastebin.pl'
52 - 'pastetext.net'
53 - 'privatlab.com'
54 - 'privatlab.net'
55 - 'send.exploit.in'
56 - 'sendspace.com'
57 - 'storage.googleapis.com'
58 - 'storjshare.io'
59 - 'supabase.co'
60 - 'temp.sh'
61 - 'transfer.sh'
62 - 'trycloudflare.com'
63 - 'ufile.io'
64 - 'w3spaces.com'
65 - 'workers.dev'
66 condition: all of selection_*
67falsepositives:
68 - Unknown
69level: high
References
-
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.
Read More -
-
Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs