What Changed
Adds a new hunting query (BadUSBCertutilLOLBIN.yaml) targeting BadUSB HID injection payloads that invoke certutil.exe or cmd.exe via the Windows Run dialog (WIN+R). This is a companion query to the previously merged BadUSBPowerShellRunDialog.yaml (#14336), covering the same physical access / HID injection attack vector but via the certutil LOLBIN path.
Detection Logic
- Data source: DeviceProcessEvents (requires Microsoft Defender for Endpoint / Microsoft Defender XDR connector)
- Core logic: Matches two process spawn patterns within a 1-day timeframe:
- certutil.exe spawned directly by explorer.exe with LOLBin flags: urlcache, -decode, -decodehex, verifyctl
- cmd.exe spawned by explorer.exe where command line contains certutil plus the same flags
- Key differentiator: InitiatingProcessFileName matching explorer.exe isolates Run dialog execution. Existing generic certutil LOLBin queries (Certutil-LOLBins.yaml, imProcess_Certutil-LOLBins.yaml) do not filter on the explorer.exe parent, so they fire on scripted or terminal-invoked certutil use. This query closes that gap.
- Entities mapped: Account (Name, NTDomain), Host (HostName)
MITRE Mapping
| Technique | Description |
|---|---|
| T1200 | Hardware Additions – physical BadUSB device insertion |
| T1027 | Obfuscated Files or Information – certutil base64 decode path |
| T1105 | Ingress Tool Transfer – certutil urlcache download path |
Analyst Notes
This query will not surface certutil use from scripts, scheduled tasks, or interactive terminals because those processes do not inherit explorer.exe as their parent. False positive rate should be low in most enterprise environments. Consider correlating hits with USB device insertion events (DeviceEvents, ActionType == UsbDriveMounted) to confirm physical access.
Affected Files
Hunting Queries/MultipleDataSources/BadUSBCertutilLOLBIN.yaml