← Back to SOC feed Coverage →

Certutil (LOLBins and LOLScripts, Normalized Process Events)

kql MEDIUM Azure-Sentinel
T1105
imProcessCreate
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-21T09:00:00Z · Confidence: medium

Hunt Hypothesis

‘This detection uses Normalized Process Events to hunt Certutil activities’

KQL Query

imProcessCreate
| where Process has "certutil.exe"
// Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example "urlcache"
// | where CommandLine !contains ("urlcache") 
| extend HostCustomEntity = Dvc, AccountCustomEntity = User

Analytic Rule Definition

id: 28233666-c235-4d55-b456-5cfdda29d62d
name: Certutil (LOLBins and LOLScripts, Normalized Process Events)
description: |
  'This detection uses Normalized Process Events to hunt Certutil activities'

requiredDataConnectors: []
tactics:
  - CommandAndControl
relevantTechniques:
  - T1105

query: |
  imProcessCreate
  | where Process has "certutil.exe"
  // Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example "urlcache"
  // | where CommandLine !contains ("urlcache") 
  | extend HostCustomEntity = Dvc, AccountCustomEntity = User

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml