The Detection Gap: MITRE ATT&CK T1140 and T1105
MITRE ATT&CK Walkthrough: T1140 (Deobfuscate/Decode Files or Information), T1105 (Ingress Tool Transfer)
- Certutil abuse often hides behind legitimate Windows behavior.
- The difference between normal and malicious activity comes down to execution context.
- Threat Tracer brings the chain into view so analysts can spend less time stitching and more time interpreting.
The Detection Gap is a breakdown for security practitioners who have to make quick calls under tight time constraints. In each post of this series, we’ll take one MITRE ATT&CK technique and walk through what it looks like when it's legitimate activity and compare what changes when it's actually an attacker in your environment. No theory, and no query syntax to memorize. Just the exact distinction that separates a real incident from everyday noise, made explicit, one technique at a time.
Certutil isn't the problem. Context is.
An alert fires. Certutil.exe just ran on an endpoint in your environment, and it's carrying flags you don't usually see. Could it simply be your PKI team renewing a certificate, or is it the first indication of an attack chain? Before we can answer that question, let’s take a look at why attackers use certutil in the first place.
If you've been around long enough in the industry, you’ve definitely seen certutil get abused. It ships with every Windows box, it's signed by Microsoft, and it has a quiet feature most admins forget about: it can decode base64 and make outbound requests to download files. Attackers exploit it for exactly that reason. Rather than deploying complex malware, they can use certutil for something it was never really designed for, in a way that looks totally legit to any tool that’s only checking signatures.
So what actually separates legitimate activity from malicious behavior?
The legitimate case
Your PKI or systems team uses certutil constantly for exactly what its name suggests: certificate management. A legitimate chain usually looks like this:
- Parent process: a scheduled task, or an admin's interactive PowerShell or cmd session
- Command line: something referencing a cert store operation, a .cer or .pfx file, or a domain-joined certificate authority
- Network behavior: none, or a connection to an internal CA server
- Timing: business hours, tied to certificate renewal cycles or new machine provisioning
The malicious case
Same binary, but notice its shape.
- Parent process: often something already suspicious on its own, like an Office application spawning cmd, or a process chain that started with a phishing payload
- Command line: -urlcache and -split flags are the two you should recognize immediately, often paired with -f to force a decode, pointed at a raw file path with no cert extension
- Network behavior: outbound to an external IP or a domain that has no business reason to be contacted by that host
- Timing: no relationship to any certificate lifecycle event, often off-hours
The chain spells out exactly what you need to know.
Where the signal comes together
This is the kind of investigation where context matters more than any single flag.
For many EDR workflows, that context starts with building the query. Pull the process tree, filter on certutil, filter again on the flags, and manually cross-reference the parent process. Those skills still matter, and that work is still part of good threat hunting. But Symantec® CBX changes where that manual effort gets spent.
Rather than manually stitching together the parent process, command line, and destination into a story, Threat Tracer (a visualization feature within CBX) surfaces that chain as a connected picture. Instead of rebuilding every step by hand, analysts can review the chain in context and spend more time interpreting what it means. Your job shifts from finding the connection to deciding whether that connection is expected or suspicious.
That’s the distinction this series is built around. A platform can assemble telemetry, but it still needs you, the analyst, to recognize when an execution chain deviates from normal behavior.
What to look for in Threat Tracer
First, focus on the process lineage, checking for anything that shouldn't be spawning certutil at all. Then, look at the destination. Does it align with your certificate infrastructure, or is it reaching out to an external host with no operational reason to be contacted? Once you've seen that sequence, you'll recognize it every time, regardless of what alert triggered the investigation.
A quick posture check
Before you close out, consider these questions about your own environment:
- If certutil executed with -urlcache -split -f against an external destination on one of your endpoints right now, would you catch it on the flags alone, or would you need the full attack chain?
- Do you have a clear baseline for how your PKI teams legitimately use certutil, allowing you to distinguish expected activity from anomalous behavior quickly?
- If you opened up Threat Tracer with just this execution chain, with no other context, could you determine what happened without relying on additional context?
If any of these questions gave you pause or felt hard to answer, that’s not unusual. Every investigation starts with understanding what “normal” looks like in your own environment. The clearer your baselines, the easier it’ll be to recognize when something deviates from it.
Next, we’ll look at another ATT&CK technique using the same approach: what’s normal, what’s not, and what tool can help you make that distinction faster.
To see how Symantec CBX can help speed investigations, reach out to your in-region expert for a 1:1 demo.



