Bypass Detection·Jun 2, 2026

Shitty Bypass: Kernel Driver Dropped via certutil to System32

Shitty Bypass uses certutil.exe — a Windows built-in Living Off the Land Binary — to download a kernel driver (info.sys, with a cum.sys variant also observed) directly into C:\Windows\System32. This is among the most-detected LOLBAS download patterns in existence. The certutil command-line, including the full download URL, survives in DiagTrack service artifacts even after process termination, providing durable forensic evidence.

FiveMBypass DetectionKernel Drivercertutil LOLBASDiagTrack

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Shitty Bypass employs certutil.exe — a certificate management utility included in every modern Windows installation — as a file downloader to fetch a kernel driver and write it to C:\Windows\System32. The technique exploits the certutil -urlcache -split -f <URL> <outpath> invocation pattern, which downloads an arbitrary remote file without triggering Windows SmartScreen or requiring elevated download prompts on misconfigured systems.

The primary driver artifact is named info.sys (SHA-256: 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea). A variant with the filename cum.sys has also been observed using the same delivery technique with a different payload binary. Legitimate kernel drivers in System32 are always digitally signed by their vendor and by Microsoft WHQL — an unsigned driver in this location is an immediate red flag.

From an OPSEC standpoint, the naming choices are self-defeating and the delivery method is one of the most-detected LOLBAS patterns documented by the security community. DiagTrack (Connected User Experiences and Telemetry service) logs process command-line arguments including the full certutil invocation, which persists in its database even after certutil.exe has exited and the driver file has been deleted.

Primary IOCs

1

info.sys in C:\Windows\System32

Navigate to C:\Windows\System32 and search for info.sys and cum.sys. These filenames do not belong to any legitimate Windows component. Right-click any found file and check its digital signature — legitimate drivers are signed; the bypass driver is unsigned. Presence alone is a strong positive IOC.

2

SHA-256 hash of info.sys

If info.sys is found, compute its SHA-256 hash: run certutil -hashfile C:\Windows\System32\info.sys SHA256 in an elevated Command Prompt. A result matching 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea is a definitive match. Any non-matching hash on a file named info.sys in System32 is still suspicious and warrants investigation.

3

DiagTrack artifact showing certutil command-line

The DiagTrack service writes process telemetry including full command-line arguments to C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\ and associated SQLite databases. Use a DiagTrack parser or WxTCmd to query the telemetry database for certutil entries. The recovered record will include the download URL and output path (C:\Windows\System32\info.sys), providing the staging server hostname as a network IOC even if the file has since been deleted.

4

certutil.exe in BAM/Prefetch records

Open WinPrefetchView and locate CERTUTIL.EXE-*.pf. The last execution timestamp and the referenced file paths listed in the Prefetch entry will corroborate when the download occurred. Additionally, check the Background Activity Monitor (BAM) registry key at HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\ for a certutil.exe last execution entry under the relevant SID.

5

cum.sys variant search

Run a filesystem search for cum.sys across all drives: where /r C:\ cum.sys in an elevated Command Prompt. This variant uses the same certutil LOLBAS delivery and drops to System32. If found, apply the same hash verification and DiagTrack forensics as for info.sys. The presence of either filename in System32 with no Microsoft signature is conclusive.

certutil as a Downloader — DiagTrack Forensics

certutil.exe has been documented as a LOLBAS downloader since at least 2017. The standard invocation certutil -urlcache -split -f <URL> <outpath> downloads a remote file over HTTP or HTTPS and writes it to the specified output path. Crucially, certutil also writes a copy of downloaded content to the URL cache directory (%LOCALAPPDATA%\Microsoft\Windows\INetCache\), leaving a second copy of the payload even if the primary drop path is cleaned.

The DiagTrack service (also known as Connected User Experiences and Telemetry, or UTC) runs continuously and records process creation events including command-line arguments to its own telemetry store. Unlike Windows Event Logs, which are frequently targeted by cleanup scripts via wevtutil cl, the DiagTrack telemetry store is a separate database that most bypass authors do not target for cleanup. The data persists until DiagTrack rotates its logs on its own schedule.

To access DiagTrack artifacts, investigators can use Eric Zimmermann's WxTCmd tool to parse the Windows.db telemetry database found in C:\ProgramData\Microsoft\Diagnosis\. The parsed output will include timestamped process creation records with full command-line arguments, making it straightforward to reconstruct the certutil download invocation and extract the staging URL.

Screenshare Check Methodology

1

System32 driver search

Ask the subject to open an elevated Command Prompt and run dir C:\Windows\System32\info.sys C:\Windows\System32\cum.sys 2>nul. Any output listing the file confirms presence. Follow up with certutil -hashfile C:\Windows\System32\info.sys SHA256 if found. The subject cannot meaningfully fake this output in real-time.

2

Driver signature check

Ask the subject to open PowerShell and run Get-AuthenticodeSignature C:\Windows\System32\info.sys | Select-Object Status, SignerCertificate. A legitimate driver returns Valid with a recognizable publisher. An unsigned bypass driver returns NotSigned or UnknownError. This check is fast and unambiguous.

3

certutil Prefetch timestamp

Open WinPrefetchView on the subject's machine. Sort by Last Run Time. A recent CERTUTIL.EXE Prefetch entry — particularly one close to a game session or near suspicious activity timestamps — corroborates the download event. Ask the subject to scroll through the list live on screenshare.

4

INetCache review

Ask the subject to open %LOCALAPPDATA%\Microsoft\Windows\INetCache\ in File Explorer with hidden files shown. certutil writes downloaded content here. Sort by date modified and look for any .sys, .exe, or other executable files that certutil may have cached during the download operation.

5

Autoruns driver check

Open Autoruns (Sysinternals) and navigate to the Drivers tab. Filter for entries without a Microsoft or trusted vendor signature. Any unsigned driver entry, particularly one with a suspicious name or a System32 path, should be flagged. Autoruns color-codes unverified entries in yellow, making them immediately visible.

Detection Notes

certutil downloading to System32 is a tier-1 detection rule in every major EDR and SIEM platform. Windows Defender, CrowdStrike, SentinelOne, and Carbon Black all flag this pattern out of the box. The bypass author's choice to use certutil for kernel driver delivery represents a fundamental misunderstanding of operational security — or a deliberate disregard for it.

DiagTrack artifacts are the most durable forensic evidence for this bypass. Even if the actor deletes info.sys, wipes Prefetch, and clears Event Logs, the DiagTrack database preserves the full certutil command-line including the staging URL. Investigators should always query DiagTrack before concluding that an actor has successfully cleaned up.

The INetCache artifact provides an additional recovery path: certutil's URL cache copy of the downloaded driver may survive even if the primary C:\Windows\System32\info.sys has been deleted. Hash the cached copy to confirm it matches the known bypass driver SHA-256.