Certutil Decoding After DNS Lookup Chain (LOLBin DNS Staging)
11 DNS Certutil LOL Bin Chain
Query
let NslookupEvents =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688
| where Process =~ "nslookup.exe"
| summarize
NslookupCount = count(),
NslookupTime = min(TimeGenerated),
NslookupCmds = make_set(CommandLine, 5)
by Computer, Account;
let CertutilEvents =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688
| where Process =~ "certutil.exe"
| where CommandLine has_any ("-decode", "-decodehex", "-urlcache", "-f")
| summarize
CertutilCount = count(),
CertutilTime = min(TimeGenerated),
CertutilCmds = make_set(CommandLine, 5)
by Computer, Account;
NslookupEvents
| join kind=inner CertutilEvents on Computer, Account
| where CertutilTime > NslookupTime
and (CertutilTime - NslookupTime) < 10m
| where NslookupCount >= 5
| project
Computer,
Account,
NslookupCount,
NslookupTime,
CertutilTime,
NslookupCmds,
CertutilCmds,
TimeDelta = CertutilTime - NslookupTimeExplanation
This query is designed to detect a specific type of cyber attack that uses trusted Windows tools to execute malicious activities. Here's a simplified breakdown:
-
Purpose: The query identifies a technique where attackers use two legitimate Windows programs,
nslookup.exeandcertutil.exe, to download and assemble malicious software without raising immediate suspicion. -
Attack Chain:
- Step 1:
nslookup.exeis used to make multiple DNS queries to retrieve pieces of data encoded in base64 or hexadecimal format. - Step 2:
certutil.exeis then used to decode these pieces and reassemble them into a potentially harmful executable file.
- Step 1:
-
Detection Criteria:
- The query looks for a burst of
nslookup.exeactivity (at least 5 instances) from the same computer and user account within a 10-minute window beforecertutil.exeis executed. - It checks if
certutil.exeis used with specific commands like-decodeor-decodehex, which are indicative of this attack method.
- The query looks for a burst of
-
Why It Matters: This method is known as a Living-off-the-Land Binary (LOLBin) technique, which leverages trusted system tools to bypass security measures like application whitelisting. It can also operate in environments with restricted scripting capabilities, such as PowerShell Constrained Language Mode.
-
Severity and Response: The query is set to a high severity level because it detects a sophisticated method of evading security defenses. It triggers an alert if the conditions are met, providing details about the computer and user involved, the number of
nslookupcalls, and the commands used. -
Technical Details:
- The query runs every 15 minutes and looks back over the past hour.
- It uses data from security event logs, specifically looking for process creation events (
EventID 4688).
-
Alert Customization: When an alert is triggered, it includes specific details about the detected activity, such as the number of
nslookupcalls and the commands used bycertutil.exe.
Overall, this query helps security teams identify and respond to potential threats that use legitimate tools for malicious purposes, making it harder for attackers to go unnoticed.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h