Query Details

Certutil Decoding After DNS Lookup Chain (LOLBin DNS Staging)

11 DNS Certutil LOL Bin Chain

Query

let NslookupEvents =
    SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == 4688
    | where Process =~ "nslookup.exe"
    | summarize
        NslookupCount = count(),
        NslookupTime  = min(TimeGenerated),
        NslookupCmds  = make_set(CommandLine, 5)
      by Computer, Account;
let CertutilEvents =
    SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == 4688
    | where Process =~ "certutil.exe"
    | where CommandLine has_any ("-decode", "-decodehex", "-urlcache", "-f")
    | summarize
        CertutilCount = count(),
        CertutilTime  = min(TimeGenerated),
        CertutilCmds  = make_set(CommandLine, 5)
      by Computer, Account;
NslookupEvents
| join kind=inner CertutilEvents on Computer, Account
| where CertutilTime > NslookupTime
    and (CertutilTime - NslookupTime) < 10m
| where NslookupCount >= 5
| project
    Computer,
    Account,
    NslookupCount,
    NslookupTime,
    CertutilTime,
    NslookupCmds,
    CertutilCmds,
    TimeDelta = CertutilTime - NslookupTime

Explanation

This query is designed to detect a specific type of cyber attack that uses trusted Windows tools to execute malicious activities. Here's a simplified breakdown:

  1. Purpose: The query identifies a technique where attackers use two legitimate Windows programs, nslookup.exe and certutil.exe, to download and assemble malicious software without raising immediate suspicion.

  2. Attack Chain:

    • Step 1: nslookup.exe is used to make multiple DNS queries to retrieve pieces of data encoded in base64 or hexadecimal format.
    • Step 2: certutil.exe is then used to decode these pieces and reassemble them into a potentially harmful executable file.
  3. Detection Criteria:

    • The query looks for a burst of nslookup.exe activity (at least 5 instances) from the same computer and user account within a 10-minute window before certutil.exe is executed.
    • It checks if certutil.exe is used with specific commands like -decode or -decodehex, which are indicative of this attack method.
  4. Why It Matters: This method is known as a Living-off-the-Land Binary (LOLBin) technique, which leverages trusted system tools to bypass security measures like application whitelisting. It can also operate in environments with restricted scripting capabilities, such as PowerShell Constrained Language Mode.

  5. Severity and Response: The query is set to a high severity level because it detects a sophisticated method of evading security defenses. It triggers an alert if the conditions are met, providing details about the computer and user involved, the number of nslookup calls, and the commands used.

  6. Technical Details:

    • The query runs every 15 minutes and looks back over the past hour.
    • It uses data from security event logs, specifically looking for process creation events (EventID 4688).
  7. Alert Customization: When an alert is triggered, it includes specific details about the detected activity, such as the number of nslookup calls and the commands used by certutil.exe.

Overall, this query helps security teams identify and respond to potential threats that use legitimate tools for malicious purposes, making it harder for attackers to go unnoticed.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

SecurityEvent

Keywords

SecurityEventsSecurityEventComputerAccountHostHostNameNameNslookupCertutilCommandLineTimeGeneratedEventIDProcess

Operators

letwhereago=~summarizecountminmake_setbyhas_anyjoinkind=inneronand>=project

Severity

High

Tactics

ExecutionDefenseEvasionCommandAndControl

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub