Certutil Remote Download
Query
DeviceProcessEvents
| where FileName == "certutil.exe"
| where tolower(ProcessCommandLine) has_all ("http", "urlcache", "-f")
| project-reorder Timestamp, ProcessCommandLine, FileName, InitiatingProcessAccountUpnAbout this query
Explanation
This query is designed to detect potentially malicious activity involving the use of the certutil.exe tool on a device. Here's a simple breakdown:
-
Purpose: The query aims to identify instances where the
certutil.exetool is used to download files from the internet. This behavior is often associated with malicious activity, as attackers may use this legitimate tool to transfer harmful files into a compromised environment. -
How it Works:
- The query looks at events related to processes on a device (
DeviceProcessEvents). - It specifically filters for events where the process name is
certutil.exe. - It further narrows down the results by checking if the command line used to run
certutil.exeincludes certain keywords: "http", "urlcache", and "-f". These keywords suggest thatcertutil.exeis being used to download a file from a URL. - The query then organizes the results to show the timestamp, the command line used, the file name, and the account that initiated the process.
- The query looks at events related to processes on a device (
-
Why It's Important:
certutil.exeis a legitimate Windows tool, but it can be misused by attackers to download and execute malicious files. By monitoring its use in this way, security teams can identify and respond to potential threats. -
Tools: The query is written for two platforms, Defender XDR and Sentinel, which are used for monitoring and analyzing security events.
In summary, this query helps detect suspicious use of certutil.exe to download files from the internet, which could indicate malicious activity on a network.
Details

Bert-Jan Pals
Released: July 20, 2025
Tables
Keywords
Operators