Detectionhighexperimental
Suspicious CertReq Command to Download
Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christian Burkard (Nextron Systems)Created Wed Nov 24Updated Wed Oct 294480827a-9799-4232-b2c4-ccc6c4e9e12bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\certreq.exe'
- OriginalFileName: 'CertReq.exe'
selection_cli_flag_post:
CommandLine|contains|windash: '-Post'
selection_cli_flag_config:
CommandLine|contains|windash: '-config'
selection_cli_http:
CommandLine|contains: 'http'
condition: all of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
4480827a-9799-4232-b2c4-ccc6c4e9e12b
Status
experimental
Level
high
Type
Detection
Created
Wed Nov 24
Modified
Wed Oct 29
Path
rules/windows/process_creation/proc_creation_win_certreq_download.yml
Raw Tags
attack.command-and-controlattack.t1105