Windows
Certutil.exeCertutil.exe
Platform
Windows
Abuse functions
7
Mapped techniques
4
Description
Certutil.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Download, ADS, Encode, Decode. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1027, T1105, T1140, T1564.004. Defenders should monitor execution of Certutil.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.
Abuse functions· 7
DownloadT1105
Download file from Internet
DownloadT1105
Download file from Internet
ADST1564.004
Download file from Internet and save it in an NTFS Alternate Data Stream
DownloadT1105
Download file from Internet
EncodeT1027.013
Encode files to evade defensive measures
DecodeT1140
Decode files to evade defensive measures
DecodeT1140
Decode files to evade defensive measures
MITRE ATT&CK techniques· 4
Uses4
| Type | Target | Confidence | Tier |
|---|---|---|---|
| SubTechnique | NTFS File Attributest1564.004 | 100% | live |
| Technique | Ingress Tool Transfert1105 | 100% | live |
| Technique | t1027.013 | 100% | live |
| Technique | Deobfuscate/Decode Files or Informationt1140 | 100% | live |
Abuses4
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Technique | Obfuscated Files or Informationt1027 | 100% | live |
| SubTechnique | NTFS File Attributest1564.004 | 90% | live |
| Technique | Ingress Tool Transfert1105 | 85% | live |
| Technique | Deobfuscate/Decode Files or Informationt1140 | 85% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.