1. Home
  2. Software
  3. certutil

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

ID: S0160
Associated Software: certutil.exe
Type: TOOL
Platforms: Windows
Version: 1.5
Created: 14 December 2017
Last Modified: 27 November 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

certutil may be used to Base64 encode collected data.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information

certutil has been used to decode binaries hidden inside certificate files as Base64 information.[3]
Enterprise T1105 Ingress Tool Transfer

certutil can be used to download files from a given URL.[1][2]
Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.[4]

Groups That Use This Software

ID Name References
G0045 menuPass

[5][6][7]
G0007 APT28

[8][9]
G0010 Turla

[10]
G0049 OilRig

[11][12]
G0027 Threat Group-3390

[13]
G0126 Higaisa

[14][15]
G1016 FIN13

[16]
G1006 Earth Lusca

[17]
G0096 APT41

[18][19]
G0075 Rancor

[20]
G1017 Volt Typhoon

[21][22]
G0030 Lotus Blossom

Lotus Blossom has used certutil during operations.[23]

Campaigns

ID Name Description
C0040 APT41 DUST

APT41 DUST used certutil to load and execute DUSTPAN.[19]

References

  1. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  2. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  3. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
  4. Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
  5. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  6. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  7. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  8. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  9. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  10. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  11. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  12. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  1. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  2. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  3. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  4. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  6. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  7. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  8. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  9. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  10. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  11. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.