← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious File Downloaded From Direct IP Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

Quality
66
FP risk
Forks
0
Views
0
ATT&CK techniques
T1027T1105
Rule sourcerules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml
title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
related:
    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
      type: similar
    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
      type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/egre55/status/1087685529016193025
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
    - https://twitter.com/_JohnHammond/status/1708910264261980634
    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
    - attack.defense-evasion
    - attack.t1027
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_flags:
        CommandLine|contains:
            - 'urlcache '
            - 'verifyctl '
            - 'URL '
    selection_http:
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    # filter_local_ips:
    #     # Note: Uncomment this filter if you want to exclude local IPs
    #     CommandLine|contains:
    #         - '://10.' # 10.0.0.0/8
    #         - '://192.168.' # 192.168.0.0/16
    #         - '://172.16.' # 172.16.0.0/12
    #         - '://172.17.'
    #         - '://172.18.'
    #         - '://172.19.'
    #         - '://172.20.'
    #         - '://172.21.'
    #         - '://172.22.'
    #         - '://172.23.'
    #         - '://172.24.'
    #         - '://172.25.'
    #         - '://172.26.'
    #         - '://172.27.'
    #         - '://172.28.'
    #         - '://172.29.'
    #         - '://172.30.'
    #         - '://172.31.'
    #         - '://127.' # 127.0.0.0/8
    #         - '://169.254.' # 169.254.0.0/16
    filter_main_seven_zip:
        CommandLine|contains: '://7-' # For https://7-zip.org/
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml