From 97d9dc842a964499bf1d83995ba60e64482bcada Mon Sep 17 00:00:00 2001 From: LocalLoopBack <38758896+Snausage0x45@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:52:57 -0700 Subject: [PATCH 1/5] Update Certutil.yml with new flag and update previous flag Added the '-URL' argument which allows for downloads through a GUI for which credit goes to @Hexacorn (https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/) removed the '-split' flag from the existing '-urlcache' command as it is not actually required and makes the detections too narrow --- yml/OSBinaries/Certutil.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 75445ed16..b316e6099 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -4,26 +4,32 @@ Description: Windows binary used for handling certificates Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + - Command: certutil.exe -urlcache -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + - Command: certutil.exe -verifyctl -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + - Command: certutil.exe -urlcache -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 + - Command: certutil.exe -URL http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 @@ -75,3 +81,7 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar + - Person: Adam + Handle: '@hexacorn' + - Person: SomeTestLeper + Handle: '@SomeTestLeper' From 8421c878dafe25dea4999a0ffd0f26172113e4a9 Mon Sep 17 00:00:00 2001 From: LocalLoopBack <38758896+Snausage0x45@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:02:30 -0700 Subject: [PATCH 2/5] fixed borked tabbing Certutil.yml --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index b316e6099..67deee644 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -24,7 +24,7 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - - Command: certutil.exe -URL http://7-zip.org/a/7z1604-x64.exe 7zip.exe + - Command: certutil.exe -URL http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. Usecase: Download file from Internet Category: Download From d4d55a5deeb670a6e9954c68c839802210557a60 Mon Sep 17 00:00:00 2001 From: LocalLoopBack <38758896+Snausage0x45@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:06:54 -0700 Subject: [PATCH 3/5] Update Certutil.yml --- yml/OSBinaries/Certutil.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 67deee644..83b84eb25 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -24,6 +24,7 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -URL http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. Usecase: Download file from Internet @@ -31,6 +32,7 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures From 1842b53990eb1e2e8204ade11da2b4a7c818da0c Mon Sep 17 00:00:00 2001 From: LocalLoopBack <38758896+Snausage0x45@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:07:21 -0700 Subject: [PATCH 4/5] Update Certutil.yml i'm dumb --- yml/OSBinaries/Certutil.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 83b84eb25..c4be4de38 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -32,7 +32,6 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures From 3a269efa9c86cc6fa09269e118d1d51a996c875f Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 1 Oct 2024 22:20:04 +0100 Subject: [PATCH 5/5] Add GUI tag --- yml/OSBinaries/Certutil.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index c4be4de38..e2a906182 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -32,6 +32,8 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Application: GUI - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures