title: Certutil Initiated Connection
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: experimental
description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.
references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth
date: 2022/09/02
modified: 2022/10/04
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
            - 135
            - 445
    condition: selection
falsepositives:
    - Legitimate certutil network connection
level: high