Suspicious File Encoded To Base64 Via Certutil.EXE

    Tuesday, January 7, 2025 In: Threat Research Print

    Date: 01/07/2025

    Severity: High

    Summary

    "Suspicious File Encoded To Base64 Via Certutil.EXE" examines the use of the Certutil tool with the "encode" flag to convert files into Base64 encoding. This technique is often employed by malicious actors to obfuscate files, particularly when the file extensions appear suspicious. The report highlights how the encoded files may evade detection and the importance of monitoring and analyzing such activity to identify potential threats.

    Indicators of Compromise (IOC) List

    Image

    \certutil.exe

    OriginalFileName

    CertUtil.exe

    CommandLine

    ‘-encode’

    '.acl'

    '.bat'

    '.doc'

    '.gif'

    '.jpeg'

    '.jpg'

    '.mp3'

    '.pdf'

    '.png'

    '.ppt'

    '.tmp'

    '.xls'

    '.xml'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype in ("4688") AND newprocessname like "\certutil.exe" AND processname like "CertUtil.exe" AND commandline like "-encode" AND commandline IN (".acl",".bat",".doc",".gif",".jpeg",".jpg",".mp3",".pdf",".png",".ppt",".tmp",".xls",".xml"))

    Detection Query 2

    (technologygroup = "EDR" AND newprocessname like "\certutil.exe" AND processname like "CertUtil.exe" AND commandline like "-encode" AND commandline IN (".acl",".bat",".doc",".gif",".jpeg",".jpg",".mp3",".pdf",".png",".ppt",".tmp",".xls",".xml"))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml         


    Tags

    MalwareSigmaCertutil

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.