detection.wiki

Detection rules › Sigma

Suspicious File Downloaded From Direct IP Via Certutil.EXE

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1027 Obfuscated Files or Information
Command & ControlT1105 Ingress Tool Transfer

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\certutil.exe'
OriginalFileName: CertUtil.exe

Stage 2: all of selection_flags

or:
CommandLine|contains: 'URL '
CommandLine|contains: 'urlcache '
CommandLine|contains: 'verifyctl '

Stage 3: all of selection_http

or:
CommandLine|contains: '://1'
CommandLine|contains: '://2'
CommandLine|contains: '://3'
CommandLine|contains: '://4'
CommandLine|contains: '://5'
CommandLine|contains: '://6'
CommandLine|contains: '://7'
CommandLine|contains: '://8'
CommandLine|contains: '://9'

Stage 4: not 1 of filter_main_seven_zip

CommandLine|contains: '://7-'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • ://1 corpus 3 (sigma 3)
  • ://2 corpus 3 (sigma 3)
  • ://3 corpus 3 (sigma 3)
  • ://4 corpus 3 (sigma 3)
  • ://5 corpus 3 (sigma 3)
  • ://6 corpus 3 (sigma 3)
  • ://7 corpus 3 (sigma 3)
  • ://7- corpus 2 (sigma 2)
  • ://8 corpus 3 (sigma 3)
  • ://9 corpus 3 (sigma 3)
  • URL corpus 3 (sigma 3)
  • urlcache corpus 3 (sigma 3)
  • verifyctl corpus 3 (sigma 3)
Imageends_with
  • \certutil.exe corpus 34 (sigma 34)
OriginalFileNameeq
  • CertUtil.exe corpus 13 (sigma 13)