Adversaries are using certutil to execute malicious payloads disguised as legitimate certificate utilities, indicating a potential compromise through command-line execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that leverage common tools for payload delivery.
KQL Query
DeviceFileEvents
| where InitiatingProcessFileName !~ "certutil.exe"
| where InitiatingProcessFileName !~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("-urlcache", "split", "http")
id: f5ff5b00-a90e-40b8-b241-9427a8ec5189
name: Dropping payload via certutil
description: |
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
This query hunts for an attacker-created copy of certutil.exe, a legitimate process, which the macro uses to download BazaLoader.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Initial access
- Defense evasion
query: |
DeviceFileEvents
| where InitiatingProcessFileName !~ "certutil.exe"
| where InitiatingProcessFileName !~ "cmd.exe"
| where InitiatingProcessCommandLine has_all("-urlcache", "split", "http")
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job Using certutil
Description: A legitimate system maintenance script uses certutil to generate a certificate for secure communication.
Filter/Exclusion: Check for certutil -generate -subject "CN=InternalCert" in scheduled tasks or system logs. Exclude processes associated with the system maintenance service.
Scenario: Admin Task to Update Trusted Certificates
Description: An administrator manually updates trusted root certificates using certutil as part of routine security maintenance.
Filter/Exclusion: Filter by user account (e.g., Administrator or Domain Admins) and check for commands like certutil -addstore -user TrustedRootCertStore.
Scenario: PowerShell Script Using certutil for Certificate Management
Description: A PowerShell script is used to manage certificates for internal services, such as setting up SSL for internal web servers.
Filter/Exclusion: Exclude processes initiated by PowerShell scripts and check for known internal service names in the command line (e.g., certutil -addstore -user MyInternalServiceCert).
Scenario: Certificate Authority (CA) Operations
Description: The enterprise CA uses certutil to issue and manage internal certificates for internal services and users.
Filter/Exclusion: Filter by the CA service account and check for commands related to certificate issuance or renewal (e.g., certutil -dspublish).
Scenario: Malicious Payload Encoded in Certificate Data
Description: A legitimate certificate is used to encode a benign payload, which is then decoded and executed by a script.
Filter/Exclusion: Exclude certificates that are signed by internal CAs and have a known encoding format (e.g., Base64). Check for certificate subject fields containing “Internal” or “Trusted”.