Skip to content

S0160 certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. 1

Item Value
ID S0160
Associated Names
Version 1.2
Created 14 December 2017
Last Modified 16 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information certutil has been used to decode binaries hidden inside certificate files as Base64 information.2
enterprise T1105 Ingress Tool Transfer certutil can be used to download files from a given URL.14
enterprise T1553 Subvert Trust Controls -
enterprise T1553.004 Install Root Certificate certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\cert512121.der.3

Groups That Use This Software

ID Name References
G0010 Turla 5
G0126 Higaisa 67
G0027 Threat Group-3390 8
G0045 menuPass 91011
G0096 APT41 12
G0075 Rancor 13
G0007 APT28 1415
G0049 OilRig 16


  1. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017. 

  2. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. 

  3. Levene, B., Falcone, R., Grunzweig, J., Lee, B., Olson, R. (2015, August 20). Retefe Banking Trojan Targets Sweden, Switzerland and Japan. Retrieved July 3, 2017. 

  4. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019. 

  5. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  6. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  7. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  8. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  9. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  10. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  11. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  12. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  13. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  14. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  15. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  16. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

Back to top