{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sysmon-event-id-1---process-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon Event ID 1 - Process Creation","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lolbin","command-and-control","exfiltration","certreq"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Certreq.exe with the \u003ccode\u003e-Post\u003c/code\u003e argument to initiate an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Certreq process attempts to connect to a remote server to send or receive data.\u003c/li\u003e\n\u003cli\u003eThe remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk (if applicable).\u003c/li\u003e\n\u003cli\u003eThe attacker may execute the downloaded file or further process the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to clean up the Certreq command from command history or logs to evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker\u0026rsquo;s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Certreq HTTP Post Request\u0026rdquo; to your SIEM to identify potential abuse of Certreq for file transfer.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Certreq.exe executing with the \u003ccode\u003e-Post\u003c/code\u003e argument, as this is not typical usage of the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T20:47:00Z","date_published":"2024-01-28T20:47:00Z","id":"/briefs/2024-01-certreq-post/","summary":"Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.","title":"Potential Abuse of Certreq for File Transfer via HTTP POST","url":"https://feed.craftedsignal.io/briefs/2024-01-certreq-post/"}],"language":"en","title":"CraftedSignal Threat Feed — Sysmon Event ID 1 - Process Creation","version":"https://jsonfeed.org/version/1.1"}