Certutil.exe is normally meant to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains, according to Microsoft.
However, it has been abused by malware because it has the ability to download, encode and decode. Downloading through certutil can help to circumvent detections and defenses. Encoding and decoding can help to achieve the same accomplishment.
Here is an example Sigma rule to help detect misuse of certutil.exe: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml