Certreq — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/certreq/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 28 Jan 2024 20:47:00 +0000Potential Abuse of Certreq for File Transfer via HTTP POSThttps://feed.craftedsignal.io/briefs/2024-01-certreq-post/Sun, 28 Jan 2024 20:47:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-certreq-post/Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.The Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker executes Certreq.exe with the -Post argument to initiate an HTTP POST request.
  3. The Certreq process attempts to connect to a remote server to send or receive data.
  4. The remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.
  5. The downloaded file is saved to disk (if applicable).
  6. The attacker may execute the downloaded file or further process the exfiltrated data.
  7. The attacker may attempt to clean up the Certreq command from command history or logs to evade detection.

Impact

Successful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker’s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.

Recommendation

  • Deploy the Sigma rule “Detect Certreq HTTP Post Request” to your SIEM to identify potential abuse of Certreq for file transfer.
  • Enable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.
  • Monitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.
  • Investigate any instances of Certreq.exe executing with the -Post argument, as this is not typical usage of the utility.
]]>mediumadvisorylolbincommand-and-controlexfiltrationcertreq