Skip to content
Threat Feed
medium advisory

Suspicious CertUtil Commands for Defense Evasion and Lateral Movement

This rule detects suspicious use of certutil.exe, a native Windows utility often abused by attackers for downloading/deobfuscating malware and exfiltrating data, by identifying commands involving decoding, encoding, URL caching, CTL verification, and PFX exporting, which are frequently used for command and control and defense evasion.

CertUtil is a legitimate Windows command-line utility used for managing certificates. However, attackers frequently abuse it to perform malicious activities while "living off the land". This involves using CertUtil to download malware, decode obfuscated files, and potentially exfiltrate data. CertUtil is abused because it is a signed Microsoft binary, making its activity harder to detect and flag as malicious. This activity is frequently seen during post-compromise phases, often associated with lateral movement and establishing command and control channels. The detections focus on the use of CertUtil with specific arguments commonly used for malicious purposes, increasing the likelihood of identifying attacker activity.

Attack Chain

  1. An attacker gains initial access to a compromised system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker uses CertUtil with the urlcache argument to download a malicious payload from a remote server (T1105).
  3. CertUtil is then used with the decode or encode argument to deobfuscate or decode the downloaded payload, often a script or executable (T1140).
  4. The decoded payload is executed, leading to further compromise, such as establishing persistence or installing a backdoor.
  5. The attacker uses CertUtil to export PFX certificates, potentially containing sensitive credentials (T1552.004).
  6. CertUtil is employed to verify Certificate Trust Lists (CTLs) to manipulate trust settings on the system.
  7. The attacker leverages CertUtil to encode files to hexadecimal format to obfuscate data during exfiltration.
  8. Using the compromised system, the attacker attempts to move laterally within the network, using obtained credentials and established backdoors.

Impact

Successful exploitation and abuse of CertUtil can lead to a significant compromise of the affected system. Attackers can gain unauthorized access to sensitive data, including credentials and proprietary information. The number of victims can vary depending on the attacker's objectives and the scope of the initial compromise. Organizations in various sectors are potentially at risk, as CertUtil is a standard component of Windows operating systems. If the attack succeeds, it can result in data breaches, financial losses, and reputational damage.

Recommendation

  • Deploy the Sigma rule "Suspicious CertUtil Commands" to your SIEM to detect malicious usage of CertUtil with arguments like decode, encode, urlcache, verifyctl, encodehex, and exportPFX.
  • Enable process creation logging with command line arguments to provide the necessary data for the Sigma rule to function correctly (process_creation log source).
  • Investigate any alerts generated by the Sigma rule and examine the parent processes and associated network connections for suspicious activity.
  • Monitor network traffic for downloads from unusual or untrusted sources, especially those initiated by CertUtil (network_connection log source).
  • Implement application control policies to restrict the execution of CertUtil to authorized users and use cases.
  • Regularly review and update security policies to address the evolving threat landscape and prevent the abuse of legitimate tools like CertUtil.

Detection coverage 2

Suspicious CertUtil Commands

medium

Detects suspicious CertUtil commands often used for downloading, decoding, or encoding malicious files.

sigma tactics: command_and_control, credential_access, defense_evasion techniques: T1105, T1140, T1552.004 sources: process_creation, windows

CertUtil Download via URLCache

medium

Detects CertUtil being used to download files via the URLCache argument, often used for malware download.

sigma tactics: command_and_control techniques: T1105 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →