Associated Software: certutil.exe
Created: 14 December 2017
Last Modified: 31 July 2019
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1553||.004||Subvert Trust Controls: Install Root Certificate||
certutil can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command:
Groups That Use This Software
- Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
- Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
- LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
- Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.