Home/certutil/YARA rules
YARA

YARA rules for certutil

3 rules · scoped to tool · back to certutil
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct Certutil
Certutil_Decode_OR_Download
Certutil Decode
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Certutil_Decode_OR_Download {
   meta:
      description = "Certutil Decode"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "Internal Research"
      score = 40
      date = "2017-08-29"
      modified = "2026-04-01"
      id = "63bdefd2-225a-56d5-b615-5e236c97f050"
   strings:
      $a1 = "certutil -decode " ascii wide
      $a2 = "certutil  -decode " ascii wide
      $a3 = "certutil.exe -decode " ascii wide
      $a4 = "certutil.exe  -decode " ascii wide
      $a5 = "certutil -urlcache -split -f http" ascii wide
      $a6 = "certutil.exe -urlcache -split -f http" ascii wide

      $fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
      $fp_doc = "https://docs.aws.amazon.com" ascii
   condition:
      filesize < 700KB
      and 1 of ($a*)
      and not 1 of ($fp*)
}
direct Cloaked
APT_Cloaked_CERTUTIL
Detects a renamed certutil.exe utility that is often used to decode encoded payloads
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule APT_Cloaked_CERTUTIL {
   meta:
      description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
      author = "Florian Roth (Nextron Systems)"
      reference = "Internal Research"
      date = "2018-09-14"
      modified = "2022-06-27"
      id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
   strings:
      $s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
      $s5 = "certutil.pdb" fullword ascii
      $s3 = "Password Token" fullword ascii
   condition:
      uint16(0) == 0x5a4d and all of them
      and not filename contains "certutil"
      and not filename contains "CertUtil"
      and not filename contains "Certutil"
      and not filepath contains "\\Bromium\\"
}
direct Binary
Binary_Drop_Certutil
Drop binary as base64 encoded cert trick
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Binary_Drop_Certutil {
	meta:
		description = "Drop binary as base64 encoded cert trick"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "https://goo.gl/9DNn8q"
		date = "2015-07-15"
		score = 70
		id = "19791e51-d041-524d-80fa-9f3ec54eb084"
	strings:
		$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
		$s1 = "echo -----END CERTIFICATE----- >>" ascii
		$s2 = "certutil -decode " ascii
	condition:
		filesize < 10KB and all of them
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin