Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

 1title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
 2id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
 3related:
 4    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
 5      type: similar
 6    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
 7      type: similar
 8status: test
 9description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
10references:
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14    - https://twitter.com/egre55/status/1087685529016193025
15    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
17    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
18author: Nasreddine Bencherchali (Nextron Systems)
19date: 2023-02-15
20modified: 2025-12-01
21tags:
22    - attack.defense-evasion
23    - attack.t1027
24    - attack.command-and-control
25    - attack.t1105
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_img:
31        - Image|endswith: '\certutil.exe'
32        - OriginalFileName: 'CertUtil.exe'
33    selection_flags:
34        CommandLine|contains:
35            - 'urlcache '
36            - 'verifyctl '
37            - 'URL '
38    selection_http:
39        CommandLine|contains:
40            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
41            - 'anonfiles.com'
42            - 'cdn.discordapp.com'
43            - 'ddns.net'
44            - 'dl.dropboxusercontent.com'
45            - 'ghostbin.co'
46            - 'glitch.me'
47            - 'gofile.io'
48            - 'hastebin.com'
49            - 'mediafire.com'
50            - 'mega.nz'
51            - 'onrender.com'
52            - 'pages.dev'
53            - 'paste.ee'
54            - 'pastebin.com'
55            - 'pastebin.pl'
56            - 'pastetext.net'
57            - 'privatlab.com'
58            - 'privatlab.net'
59            - 'send.exploit.in'
60            - 'sendspace.com'
61            - 'storage.googleapis.com'
62            - 'storjshare.io'
63            - 'supabase.co'
64            - 'temp.sh'
65            - 'transfer.sh'
66            - 'trycloudflare.com'
67            - 'ufile.io'
68            - 'w3spaces.com'
69            - 'workers.dev'
70    condition: all of selection_*
71falsepositives:
72    - Unknown
73level: high
74regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml

References

• certutil

  

  Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components in Windows.

  
  Read More

• An AgentTesla Sample Using VBA Macros and Certutil

  AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes further AgentTesla malware. If you want to follow along at home, the sample is available in MalwareBazaar here: https://bazaar.abuse.ch/sample/d1c616976e917d54778f587a2550ee5568a72b661d5f04e68d194ce998864d84/.

  
  Read More

• Compromised Exchange server hosting cryptojacker targeting other Exchange servers

  

  An ouroboros of malicious cryptominers takes advantage of the ProxyLogon exploit

  
  Read More

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• Certutil on LOLBAS

  

  Certutil.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog

  

  A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.

  
  Read More

• certutil – one more GUI lolbin

  

  Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place ...

  
  Read More

Related rules

• Suspicious Download Via Certutil.EXE
• Suspicious File Downloaded From Direct IP Via Certutil.EXE
• Password Protected ZIP File Opened (Suspicious Filenames)
• File Download with Headless Browser
• ArcSOC.exe Creating Suspicious Files