Connection Initiated Via Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Sigma rule (View on GitHub)
1title: Connection Initiated Via Certutil.EXE
2id: 0dba975d-a193-4ed1-a067-424df57570d1
3status: test
4description: |
5 Detects a network connection initiated by the certutil.exe utility.
6 Attackers can abuse the utility in order to download malware or additional payloads.
7references:
8 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
9author: frack113, Florian Roth (Nextron Systems)
10date: 2022/09/02
11modified: 2022/10/04
12tags:
13 - attack.command_and_control
14 - attack.t1105
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\certutil.exe'
21 Initiated: 'true'
22 DestinationPort:
23 - 80
24 - 135
25 - 443
26 - 445
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Network Connection Initiated By IMEWDBLD.EXE
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Remote File Download Via Desktopimgdownldr Utility
- File Download Using Notepad++ GUP Utility