Rules Contributing to certutil.exe Certificate Extraction Alert

The following rules are used to identify certutil.exe certificate extraction activity. Any one or more of these will trigger the certutil.exe Certificate Extraction Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

certutil.exe Certificate Extraction

The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.

Rule ID

certutil_exe_certificate_extraction

Query

{'selection1': {'Image|endswith': '\\certutil.exe'}, 'selection2': {'CommandLine|contains': '-exportPFX'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1649

References

Severity

90

Suppression Logic Based On

  • computer_name
  • process_name
  • event_data.CommandLine
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2025/08/18 critical

  • Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.