Windows CertUtil URLCache Download

Try in Splunk Security Cloud

Description

Certutil.exe may download a file from a remote destination using -urlcache. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. However, it is uncommon for certutil.exe to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.

• Type: TTP
• Product: Splunk Behavioral Analytics
• Datamodel: Endpoint_Processes
• Last Updated: 2022-02-16
• Author: Michael Haag, Splunk
• ID: 8cb1ad38-8f6d-11ec-87a3-acde48001122

ATT&CK

ID	Technique	Tactic
T1105	Ingress Tool Transfer	Command And Control

Search

| from read_ssa_enriched_events() 
| where "Endpoint_Processes" IN(_datamodels) 
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line IS NOT NULL AND process_name IS NOT NULL AND process_name="certutil.exe" AND (like (cmd_line, "%urlcache%") AND like (cmd_line, "%split%")) OR (like (cmd_line, "%urlcache%")) 
| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)) 
| eval body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) 
| into write_ssa_detected_events();

Macros

The SPL above uses the following Macros:

Note that windows_certutil_urlcache_download_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• dest_device_id
• process_name
• parent_process_name
• process_path
• dest_user_id
• process
• cmd_line

How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.

Known False Positives

Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.

Associated Analytic story

• Ingress Tool Transfer
• DarkSide Ransomware
• Living Off The Land

Kill Chain Phase

• Exploitation

RBA

Risk Score	Impact	Confidence	Message
90.0	90	100	An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest_device_id$ by user $dest_user_id$ attempting to download a file.

Note that risk score is calculated base on the following formula: (Impact * Confidence)/100

Reference

• https://attack.mitre.org/techniques/T1105/
• https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats
• https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log

source | version: 1