At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’.

<file name = "certadm.dll">
    <comClass description = "ICertAdmin2"
        clsid = "{f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39}"
        threadingModel = "Both"/>
    <comClass description = "CCertAdmin"
        clsid = "{37eabaf0-7fb6-11d0-8817-00a0c903b83c}"
        threadingModel = "Both"/>
    <comClass description = "ICertView2"
        clsid = "{d594b282-8851-4b61-9c66-3edadf848863}"
        threadingModel = "Both"/>
    <comClass description = "CCertView"
        clsid = "{a12d0f7a-1e84-11d1-9bd6-00c04fb683fa}"
        threadingModel = "Both"/>
</file>

Once I spotted it I immediately jumped hoping that this is yet another rare persistence/side-loading opportunity. Not only ‘certadm.dll’ is not present on new OS versions (phantom DLL!), the `comClass` suggests we could be able to load some COM DLLs when some events happen related to a given application that leverages this loading mechanism which in COM documentation is referenced as a Side by Side registrationless COM.

Another interesting bit is that certutil.exe is an orphan when it comes to manifests with comclass. Yes, this is the only native OS executable I could find that has a manifest actually referencing ComClass!

Sadly, in the end I was not able to side-load anything or instantiate anything, but the idea sticks. Perhaps people more accustomed with COM can shed some light how to use it?