About the rule

Rule Type

Standard

Rule Description

Certutil.exe is a legitimate Windows tool used for certificate management, but attackers often abuse it to download malicious payloads—especially from public file-sharing platforms like Pastebin, GitHub, or Transfer.sh. This rule detects when certutil.exe is used to fetch files from known file-sharing domains, which is uncommon in normal administrative activity. Threat actors leverage these platforms to host malware or scripts, blending in with legitimate traffic and evading domain-based security controls. This behavior is a strong indicator of living-off-the-land techniques and potential staging of further malicious activity.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Living-off-the-land binary (LOLBins) abuse → certutil.exe downloads file from public file-sharing site → Payload execution → Persistence → Credential access or lateral movement

Impact

• Malware deployment
• Defense evasion
• Command and control
• Credential theft
• Lateral movement

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Microsoft-Windows-Security-Auditing/Operational setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're alerted to a file being downloaded from a public file-sharing platform using certutil.exe—a living-off-the-land binary (LOLBins) often exploited in malware campaigns.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate administrative activities or scripts that use certutil.exe to download tools, updates, or configuration files from public file-sharing sites like GitHub or Pastebin.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the triggering event to confirm whether the download from the file-sharing site via certutil.exe was expected. Investigate the user account, parent process, and command-line arguments involved in the execution.
• Analysis: Analyze the downloaded file’s hash and check if the file was executed post-download and whether any connections or child processes were spawned. Correlate with threat intel to assess the source domain’s reputation.
• Response: Isolate the endpoint, terminate suspicious processes, and delete the downloaded file. Block the file-sharing domain and review audit logs for signs of lateral movement or persistence.
• Monitor certutil.exe: Restrict or monitor use of certutil.exe via group policy or EDR.

Mitigation