File Decoded From Base64/Hex Via Certutil.EXE

    Thursday, June 5, 2025 In: Threat Research Print

    Date: 06/05/2025

    Severity: Medium

    Summary

    "File Decoded From Base64/Hex Via Certutil.EXE" refers to the detection of the Windows utility certutil.exe being used with the -decode or -decodehex flags to convert base64 or hex-encoded data into executable files. While a legitimate tool, certutil is often abused by attackers to decode malicious payloads on a compromised system prior to execution, making this activity a strong indicator of potential post-exploitation behavior.

    Indicators of Compromise (IOC) List  

    Image

    '\certutil.exe'

    Commandline

    '-decode '

    '-decodehex '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    (resourcename = "Windows Security"  AND eventtype = "4688") AND (processname like "certutil.exe" AND (commandline like "-decode" or commandline like "-decodehex"))

    Detection Query 2 :

    technologygroup = "EDR" AND (processname like "certutil.exe" AND (commandline like "-decode" or commandline like "-decodehex"))

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml     


    Tags

    SigmaVulnerabilityCertutil

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.