Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Sigma rule (View on GitHub)
1title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
2id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
3related:
4 - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
5 type: similar
6 - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
7 type: similar
8 - id: 8b48ad89-10d8-4382-a546-50588c410f0d
9 type: similar
10 - id: d635249d-86b5-4dad-a8c7-d7272b788586
11 type: similar
12 - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
13 type: similar
14 - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
15 type: similar
16 - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
17 type: similar
18 - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
19 type: similar
20 - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
21 type: similar
22 - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
23 type: similar
24 - id: b6e04788-29e1-4557-bb14-77f761848ab8
25 type: similar
26 - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
27 type: similar
28 - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
29 type: similar
30status: test
31description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
32references:
33 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
34 - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
35 - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
36 - https://twitter.com/egre55/status/1087685529016193025
37 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
38 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
39 - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
40author: Nasreddine Bencherchali (Nextron Systems)
41date: 2023-02-15
42modified: 2026-03-29
43tags:
44 - attack.stealth
45 - attack.t1027
46 - attack.command-and-control
47 - attack.t1105
48logsource:
49 category: process_creation
50 product: windows
51detection:
52 selection_img:
53 - Image|endswith: '\certutil.exe'
54 - OriginalFileName: 'CertUtil.exe'
55 selection_flags:
56 CommandLine|contains:
57 - 'urlcache '
58 - 'verifyctl '
59 - 'URL '
60 selection_http:
61 CommandLine|contains:
62 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
63 - '0x0.st'
64 - 'anonfiles.com'
65 - 'bashupload.com'
66 - 'cdn.discordapp.com'
67 - 'chunk.io'
68 - 'ddns.net'
69 - 'dl.dropboxusercontent.com'
70 - 'ghostbin.co'
71 - 'github.com'
72 - 'glitch.me'
73 - 'gofile.io'
74 - 'hastebin.com'
75 - 'mediafire.com'
76 - 'mega.nz'
77 - 'onrender.com'
78 - 'pages.dev'
79 - 'paste.ee'
80 - 'pastebin.com'
81 - 'pastebin.pl'
82 - 'pastetext.net'
83 - 'privatlab.com'
84 - 'privatlab.net'
85 - 'send.exploit.in'
86 - 'sendspace.com'
87 - 'storage.googleapis.com'
88 - 'storjshare.io'
89 - 'supabase.co'
90 - 'temp.sh'
91 - 'transfer.sh'
92 - 'trycloudflare.com'
93 - 'ufile.io'
94 - 'w3spaces.com'
95 - 'workers.dev'
96 - 'x0.at'
97 condition: all of selection_*
98falsepositives:
99 - Unknown
100level: high
101regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml
References
Related rules
- Password Protected ZIP File Opened (Suspicious Filenames)
- Suspicious Download Via Certutil.EXE
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Browser Execution In Headless Mode