Uncommon Network Connection Initiated By Certutil.EXE

calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.

Sigma rule (View on GitHub)

 1title: Uncommon Network Connection Initiated By Certutil.EXE
 2id: 0dba975d-a193-4ed1-a067-424df57570d1
 3status: test
 4description: |
 5    Detects a network connection initiated by the certutil.exe utility.
 6    Attackers can abuse the utility in order to download malware or additional payloads.    
 7references:
 8    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 9author: frack113, Florian Roth (Nextron Systems)
10date: 2022-09-02
11modified: 2024-05-31
12tags:
13    - attack.command-and-control
14    - attack.t1105
15logsource:
16    category: network_connection
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\certutil.exe'
21        Initiated: 'true'
22        DestinationPort:
23            - 80
24            - 135
25            - 443
26            - 445
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

  • certutil

    Learn about certutil, a command-line program that displays CA configuration information, configures Certificate Services, and backs up and restores CA components in Windows.


    Read More

Related rules

to-top