LOL-CERTUTILCommand and Control

certutil.exe Download / Decode

Signed Windows binary used as a downloader (certutil -urlcache -split -f) or base64 decoder — slips past simple EDR.

§ Where this technique fits

LOL-CERTUTIL is catalogued under the Command and Control tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
step 2 / 6

§ What commonly comes next

01
bitsadmin.exe Background Transfer
LOL-BITSADMIN · Command and Control
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

certutil + bitsadmin → AV-friendly stager chain

§ What commonly comes next