Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
certutil has been used to decode binaries hidden inside certificate files as Base64 information.[3] |
|
Enterprise | T1105 | Ingress Tool Transfer |
certutil can be used to download files from a given URL.[1][2] |
|
Enterprise | T1553 | .004 | Subvert Trust Controls: Install Root Certificate |
certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: |
ID | Name | References |
---|---|---|
G0045 | menuPass | |
G0007 | APT28 | |
G0010 | Turla | |
G0049 | OilRig | |
G0027 | Threat Group-3390 | |
G0126 | Higaisa | |
G1016 | FIN13 | |
G1006 | Earth Lusca | |
G0096 | APT41 | |
G0075 | Rancor | |
G1017 | Volt Typhoon |
ID | Name | Description |
---|---|---|
C0040 | APT41 DUST |
APT41 DUST used certutil to load and execute DUSTPAN.[18] |