← Back to SOC feed Coverage →

Uncommon Network Connection Initiated By Certutil.EXE

sigma HIGH SigmaHQ
T1105
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.

Detection Rule

Sigma (Original)

title: Uncommon Network Connection Initiated By Certutil.EXE
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: test
description: |
    Detects a network connection initiated by the certutil.exe utility.
    Attackers can abuse the utility in order to download malware or additional payloads.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth (Nextron Systems)
date: 2022-09-02
modified: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        Initiated: 'true'
        DestinationPort:
            - 80
            - 135
            - 443
            - 445
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imNetworkSession
| where (SrcProcessName endswith "\\certutil.exe" or DstProcessName endswith "\\certutil.exe") and NetworkDirection =~ "true" and (DstPortNumber in~ ("80", "135", "443", "445"))

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml