Query Details
11 DNS Certutil LOL Bin Chain
Query
id: a1b2c3d4-0011-4a5b-8c9d-dns011certutil
name: Certutil Decoding After DNS Lookup Chain (LOLBin DNS Staging)
description: |
Detects the classic DNS payload staging attack chain documented by Octoberfest7:
1. nslookup.exe makes many TXT/MX queries to retrieve base64/hex chunks
2. certutil.exe -decode or -decodehex reassembles the chunks into an executable
This is a Living-off-the-Land Binary (LOLBin) technique that works in
PowerShell Constrained Language Mode (CLM) and can evade application
whitelisting, as both nslookup.exe and certutil.exe are trusted Windows binaries.
The chain: nslookup (many calls) → certutil -decode → executable creation
MITRE T1218.003 (certutil), T1027 (obfuscated files), T1071.004 (DNS)
Differentiation from built-in "CertUtil Used to Download Files"
(Endpoint Threat Protection Essentials):
The built-in fires on any certutil.exe download event in isolation. This rule
requires TEMPORAL CORRELATION — a burst of nslookup DNS activity from the same
host within 10 minutes before the certutil execution, proving the DNS-staging
delivery chain rather than standalone certutil use. This eliminates noise from
legitimate PKI certificate operations that trigger the built-in rule.
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- Execution
- DefenseEvasion
- CommandAndControl
relevantTechniques:
- T1218.003
- T1027
- T1071.004
tags:
- LOLBin
- certutil
- nslookup
- DNS payload staging
- Constrained Language Mode bypass
- Octoberfest7
query: |
let NslookupEvents =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688
| where Process =~ "nslookup.exe"
| summarize
NslookupCount = count(),
NslookupTime = min(TimeGenerated),
NslookupCmds = make_set(CommandLine, 5)
by Computer, Account;
let CertutilEvents =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688
| where Process =~ "certutil.exe"
| where CommandLine has_any ("-decode", "-decodehex", "-urlcache", "-f")
| summarize
CertutilCount = count(),
CertutilTime = min(TimeGenerated),
CertutilCmds = make_set(CommandLine, 5)
by Computer, Account;
NslookupEvents
| join kind=inner CertutilEvents on Computer, Account
| where CertutilTime > NslookupTime
and (CertutilTime - NslookupTime) < 10m
| where NslookupCount >= 5
| project
Computer,
Account,
NslookupCount,
NslookupTime,
CertutilTime,
NslookupCmds,
CertutilCmds,
TimeDelta = CertutilTime - NslookupTime
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Computer
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Account
alertDetailsOverride:
alertDisplayNameFormat: "LOLBin DNS Staging — nslookup+certutil chain on {{Computer}}"
alertDescriptionFormat: "{{Computer}} ({{Account}}): {{NslookupCount}} nslookup calls followed by certutil -decode within {{TimeDelta}}. This matches DNS payload staging via LOLBins. nslookup cmds: {{NslookupCmds}}, certutil cmds: {{CertutilCmds}}"
customDetails:
NslookupCount: NslookupCount
CertutilCmds: CertutilCmds
Explanation
This query is designed to detect a specific type of cyber attack that uses trusted Windows tools to execute malicious activities. Here's a simplified breakdown:
-
Purpose: The query identifies a technique where attackers use two legitimate Windows programs,
nslookup.exeandcertutil.exe, to download and assemble malicious software without raising immediate suspicion. -
Attack Chain:
- Step 1:
nslookup.exeis used to make multiple DNS queries to retrieve pieces of data encoded in base64 or hexadecimal format. - Step 2:
certutil.exeis then used to decode these pieces and reassemble them into a potentially harmful executable file.
- Step 1:
-
Detection Criteria:
- The query looks for a burst of
nslookup.exeactivity (at least 5 instances) from the same computer and user account within a 10-minute window beforecertutil.exeis executed. - It checks if
certutil.exeis used with specific commands like-decodeor-decodehex, which are indicative of this attack method.
- The query looks for a burst of
-
Why It Matters: This method is known as a Living-off-the-Land Binary (LOLBin) technique, which leverages trusted system tools to bypass security measures like application whitelisting. It can also operate in environments with restricted scripting capabilities, such as PowerShell Constrained Language Mode.
-
Severity and Response: The query is set to a high severity level because it detects a sophisticated method of evading security defenses. It triggers an alert if the conditions are met, providing details about the computer and user involved, the number of
nslookupcalls, and the commands used. -
Technical Details:
- The query runs every 15 minutes and looks back over the past hour.
- It uses data from security event logs, specifically looking for process creation events (
EventID 4688).
-
Alert Customization: When an alert is triggered, it includes specific details about the detected activity, such as the number of
nslookupcalls and the commands used bycertutil.exe.
Overall, this query helps security teams identify and respond to potential threats that use legitimate tools for malicious purposes, making it harder for attackers to go unnoticed.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators