← Back to Explore
sigmahighHunting
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Detection Query
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
selection_flags:
CommandLine|contains:
- "urlcache "
- "verifyctl "
- "URL "
selection_http:
CommandLine|contains:
- .githubusercontent.com
- 0x0.st
- anonfiles.com
- bashupload.com
- cdn.discordapp.com
- chunk.io
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
- x0.at
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-02-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
Tags
attack.stealthattack.t1027attack.command-and-controlattack.t1105
Raw Content
title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
type: similar
- id: 8b48ad89-10d8-4382-a546-50588c410f0d
type: similar
- id: d635249d-86b5-4dad-a8c7-d7272b788586
type: similar
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
- id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
type: similar
- id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
type: similar
- id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
type: similar
- id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
type: similar
- id: b6e04788-29e1-4557-bb14-77f761848ab8
type: similar
- id: a0d7e4d2-bede-4141-8896-bc6e237e977c
type: similar
- id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2026-03-29
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- '0x0.st'
- 'anonfiles.com'
- 'bashupload.com'
- 'cdn.discordapp.com'
- 'chunk.io'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
- 'x0.at'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml