Skip to content

S0160 certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. 1

Item Value
ID S0160
Associated Names
Type TOOL
Version 1.3
Created 14 December 2017
Last Modified 03 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility certutil may be used to Base64 encode collected data.12
enterprise T1140 Deobfuscate/Decode Files or Information certutil has been used to decode binaries hidden inside certificate files as Base64 information.3
enterprise T1105 Ingress Tool Transfer certutil can be used to download files from a given URL.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.004 Install Root Certificate certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.4

Groups That Use This Software

ID Name References
G0096 APT41 5
G0007 APT28 67
G0010 Turla 8
G0075 Rancor 9
G1006 Earth Lusca 10
G0049 OilRig 11
G0126 Higaisa 1213
G0045 menuPass 141516
G0027 Threat Group-3390 17

References

  1. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017. 

  2. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019. 

  3. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. 

  4. Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017. 

  5. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  6. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  7. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  8. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  9. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  10. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  11. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  12. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  13. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  14. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  15. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  16. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  17. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.