Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

ID: S0160
Aliases: certutil, certutil.exe
Type: TOOL
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1140Deobfuscate/Decode Files or Informationcertutil has been used to decode binaries hidden inside certificate files as Base64 information.[2]
EnterpriseT1130Install Root Certificatecertutil can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.[3]
EnterpriseT1105Remote File Copycertutil can be used to download files from a given URL.[1][4]

Groups

Groups that use this software:

APT28
menuPass
OilRig
Rancor

References