Query Details
Device Detect Cert Util Connecting Externally
Query
//Detects when certutil is used to connect to a public IP. This could indicate abuse of cert util, see - https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceNetworkEvents
| where TimeGenerated > ago (7d)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIPType,
LocalIP,
RemoteIPType,
RemoteIP,
RemoteUrl,
RemotePort
| where InitiatingProcessCommandLine contains "certutil"
| where RemoteIPType == "Public"
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceNetworkEvents
| where TimeGenerated > ago (7d)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIPType,
LocalIP,
RemoteIPType,
RemoteIP,
RemoteUrl,
RemotePort
| where InitiatingProcessCommandLine contains "certutil"
| where RemoteIPType == "Public"Explanation
This query detects instances where the certutil tool is used to connect to a public IP address. It retrieves information such as the time, device name, account name, command line, local and remote IP addresses, remote URL, and remote port. The query filters the results to only include instances where the certutil tool is used and the remote IP address is public.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,DeviceName,InitiatingProcessAccountName,InitiatingProcessCommandLine,LocalIPType,LocalIP,RemoteIPType,RemoteIP,RemoteUrl,RemotePort,certutil,Public
Operators
whereprojectcontains==