Certutil used to transmit or decode a file
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
The command {{ @process.executable.name }} was executed, potentially to download malicious tools.
Goal
Detect when certutil is used to download a file or decode content.
Strategy
Threat actors are known to utilize tools found natively in a victim’s environment to accomplish their objectives. Certutil, a legitimate Windows binary, has been abused by malicious actors in the past to fetch additional tools and payloads, as well as decode obfuscated payloads to avoid detection.
Triage and response
- Identify what is being downloaded or decoded.
- If it’s not authorized, isolate the host from the network.
- Follow your organization’s internal processes for investigating and remediating compromised systems.
Requires Agent version 7.50.0 or greater.
