Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Shitty Bypass employs certutil.exe — a certificate management utility included in every modern Windows installation — as a file downloader to fetch a kernel driver and write it to C:\Windows\System32. The technique exploits the certutil -urlcache -split -f <URL> <outpath> invocation pattern, which downloads an arbitrary remote file without triggering Windows SmartScreen or requiring elevated download prompts on misconfigured systems.
The primary driver artifact is named info.sys (SHA-256: 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea). A variant with the filename cum.sys has also been observed using the same delivery technique with a different payload binary. Legitimate kernel drivers in System32 are always digitally signed by their vendor and by Microsoft WHQL — an unsigned driver in this location is an immediate red flag.
From an OPSEC standpoint, the naming choices are self-defeating and the delivery method is one of the most-detected LOLBAS patterns documented by the security community. DiagTrack (Connected User Experiences and Telemetry service) logs process command-line arguments including the full certutil invocation, which persists in its database even after certutil.exe has exited and the driver file has been deleted.
Primary IOCs
info.sys in C:\Windows\System32
Navigate to C:\Windows\System32 and search for info.sys and cum.sys. These filenames do not belong to any legitimate Windows component. Right-click any found file and check its digital signature — legitimate drivers are signed; the bypass driver is unsigned. Presence alone is a strong positive IOC.
SHA-256 hash of info.sys
If info.sys is found, compute its SHA-256 hash: run certutil -hashfile C:\Windows\System32\info.sys SHA256 in an elevated Command Prompt. A result matching 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea is a definitive match. Any non-matching hash on a file named info.sys in System32 is still suspicious and warrants investigation.
DiagTrack artifact showing certutil command-line
The DiagTrack service writes process telemetry including full command-line arguments to C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\ and associated SQLite databases. Use a DiagTrack parser or WxTCmd to query the telemetry database for certutil entries. The recovered record will include the download URL and output path (C:\Windows\System32\info.sys), providing the staging server hostname as a network IOC even if the file has since been deleted.
certutil.exe in BAM/Prefetch records
Open WinPrefetchView and locate CERTUTIL.EXE-*.pf. The last execution timestamp and the referenced file paths listed in the Prefetch entry will corroborate when the download occurred. Additionally, check the Background Activity Monitor (BAM) registry key at HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\ for a certutil.exe last execution entry under the relevant SID.
cum.sys variant search
Run a filesystem search for cum.sys across all drives: where /r C:\ cum.sys in an elevated Command Prompt. This variant uses the same certutil LOLBAS delivery and drops to System32. If found, apply the same hash verification and DiagTrack forensics as for info.sys. The presence of either filename in System32 with no Microsoft signature is conclusive.
certutil as a Downloader — DiagTrack Forensics
certutil.exe has been documented as a LOLBAS downloader since at least 2017. The standard invocation certutil -urlcache -split -f <URL> <outpath> downloads a remote file over HTTP or HTTPS and writes it to the specified output path. Crucially, certutil also writes a copy of downloaded content to the URL cache directory (%LOCALAPPDATA%\Microsoft\Windows\INetCache\), leaving a second copy of the payload even if the primary drop path is cleaned.
The DiagTrack service (also known as Connected User Experiences and Telemetry, or UTC) runs continuously and records process creation events including command-line arguments to its own telemetry store. Unlike Windows Event Logs, which are frequently targeted by cleanup scripts via wevtutil cl, the DiagTrack telemetry store is a separate database that most bypass authors do not target for cleanup. The data persists until DiagTrack rotates its logs on its own schedule.
To access DiagTrack artifacts, investigators can use Eric Zimmermann's WxTCmd tool to parse the Windows.db telemetry database found in C:\ProgramData\Microsoft\Diagnosis\. The parsed output will include timestamped process creation records with full command-line arguments, making it straightforward to reconstruct the certutil download invocation and extract the staging URL.
Detection Notes
certutil downloading to System32 is a tier-1 detection rule in every major EDR and SIEM platform. Windows Defender, CrowdStrike, SentinelOne, and Carbon Black all flag this pattern out of the box. The bypass author's choice to use certutil for kernel driver delivery represents a fundamental misunderstanding of operational security — or a deliberate disregard for it.
DiagTrack artifacts are the most durable forensic evidence for this bypass. Even if the actor deletes info.sys, wipes Prefetch, and clears Event Logs, the DiagTrack database preserves the full certutil command-line including the staging URL. Investigators should always query DiagTrack before concluding that an actor has successfully cleaned up.
The INetCache artifact provides an additional recovery path: certutil's URL cache copy of the downloaded driver may survive even if the primary C:\Windows\System32\info.sys has been deleted. Hash the cached copy to confirm it matches the known bypass driver SHA-256.