File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Date: 01/08/2025

Severity: High

Summary

Detects the execution of certutil with the "encode" flag to convert a file to Base64, targeting files located in potentially suspicious directories.

Image :

'\certutil.exe'

OriginalFileName :

'CertUtil.exe'

CommandLine :

'-encode'

- '\AppData\Roaming\'

- '\Desktop\'

- '\Local\Temp\'

- '\PerfLogs\'

- '\Users\Public\'

- '\Windows\Temp\'

- '$Recycle.Bin'

Detection Query :	(resourcename = "Windows Security" AND eventtype = "4688") AND processname like "certutil.exe" AND commandline like "-encode" and (commandline like "\AppData\Roaming" or commandline like "\Desktop" or commandline like "\Local\Temp" or commandline like "\PerfLogs" or commandline like "\Users\Public" or commandline like "\Windows\Temp" or commandline like "$Recycle.Bin")
Detection Query :	(technologygroup = "EDR") AND processname like "certutil.exe" AND commandline like "-encode" and (commandline like "\AppData\Roaming" or commandline like "\Desktop" or commandline like "\Local\Temp" or commandline like "\PerfLogs" or commandline like "\Users\Public" or commandline like "\Windows\Temp" or commandline like "$Recycle.Bin")

Reference: