certutil
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1553 | .004 | Subvert Trust Controls: Install Root Certificate |
certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0045 | menuPass |
(Citation: Accenture Hogfish April 2018) (Citation: FireEye APT10 Sept 2018) (Citation: Symantec Cicada November 2020) |
| G0007 | APT28 |
(Citation: Unit 42 Sofacy Feb 2018) (Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| G0010 | Turla |
(Citation: Symantec Waterbug Jun 2019) |
| G0049 | OilRig |
(Citation: FireEye APT34 Dec 2017) |
| G0027 | Threat Group-3390 |
(Citation: Trend Micro DRBControl February 2020) |
| G0126 | Higaisa |
(Citation: Malwarebytes Higaisa 2020) (Citation: PTSecurity Higaisa 2020) |
| G1006 | Earth Lusca |
(Citation: TrendMicro EarthLusca 2022) |
| G0096 | APT41 |
(Citation: FireEye APT41 March 2020) |
| G0075 | Rancor |
(Citation: Rancor Unit42 June 2018) |
References
- Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.