certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

ID: S0160
Associated Software: certutil.exe
Type: TOOL
Platforms: Windows
Version: 1.4
Created: 14 December 2017
Last Modified: 27 July 2023

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

certutil may be used to Base64 encode collected data.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

certutil has been used to decode binaries hidden inside certificate files as Base64 information.[3]

Enterprise T1105 Ingress Tool Transfer

certutil can be used to download files from a given URL.[1][2]

Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.[4]

Groups That Use This Software

Campaigns

ID Name Description
C0040 APT41 DUST

APT41 DUST used certutil to load and execute DUSTPAN.[18]

References