Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Sigma rule (View on GitHub)

 1title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
 2id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
 3related:
 4    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
 5      type: similar
 6    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
 7      type: similar
 8status: experimental
 9description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
10references:
11    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
12    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
13    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
14    - https://twitter.com/egre55/status/1087685529016193025
15    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
16    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2023-02-15
19modified: 2024-08-22
20tags:
21    - attack.defense-evasion
22    - attack.t1027
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith: '\certutil.exe'
29        - OriginalFileName: 'CertUtil.exe'
30    selection_flags:
31        CommandLine|contains:
32            - 'urlcache '
33            - 'verifyctl '
34    selection_http:
35        CommandLine|contains:
36            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
37            - 'anonfiles.com'
38            - 'cdn.discordapp.com'
39            - 'ddns.net'
40            - 'dl.dropboxusercontent.com'
41            - 'ghostbin.co'
42            - 'glitch.me'
43            - 'gofile.io'
44            - 'hastebin.com'
45            - 'mediafire.com'
46            - 'mega.nz'
47            - 'onrender.com'
48            - 'pages.dev'
49            - 'paste.ee'
50            - 'pastebin.com'
51            - 'pastebin.pl'
52            - 'pastetext.net'
53            - 'privatlab.com'
54            - 'privatlab.net'
55            - 'send.exploit.in'
56            - 'sendspace.com'
57            - 'storage.googleapis.com'
58            - 'storjshare.io'
59            - 'supabase.co'
60            - 'temp.sh'
61            - 'transfer.sh'
62            - 'trycloudflare.com'
63            - 'ufile.io'
64            - 'w3spaces.com'
65            - 'workers.dev'
66    condition: all of selection_*
67falsepositives:
68    - Unknown
69level: high

References

Related rules

to-top