1. Home
  2. Software
  3. certutil

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

ID: S0160
Associated Software: certutil.exe
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 14 December 2017
Last Modified: 16 August 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

certutil has been used to decode binaries hidden inside certificate files as Base64 information.[2]
Enterprise T1105 Ingress Tool Transfer

certutil can be used to download files from a given URL.[1][3]
Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.[4]

Groups That Use This Software

ID Name References
G0010 Turla

[5]
G0126 Higaisa

[6][7]
G0027 Threat Group-3390

[8]
G0045 menuPass

[9][10][11]
G0096 APT41

[12]
G0075 Rancor

[13]
G0007 APT28

[14][15]
G0049 OilRig

[16]

References

  1. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  2. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
  3. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  4. Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017.
  5. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  6. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  7. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  8. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  1. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  2. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  3. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  4. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  5. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  6. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  7. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  8. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.