rules/windows/process_creation/proc_creation_win_certutil_decode.yml

title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
    - attack.defense-evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash:
            - '-decode ' # Decode Base64
            - '-decodehex ' # Decode Hex
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`title: File Decoded From Base64/Hex Via Certutil.EXE`
			`id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7`
			`status: test`
fix: apply suggestions from code review 2023-02-16 11:06:57 +01:00			`description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution`
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`references:`
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 2024-07-02 06:00:11 -04:00			`- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil`
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/`
			`- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/`
			`- https://twitter.com/JohnLaTwC/status/835149808817991680`
			`- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil`
			`- https://lolbas-project.github.io/lolbas/Binaries/Certutil/`
			`author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2023-02-15`
Merge PR #5465 from @nasbench - Update `File Decoded From Base64/Hex Via Certutil.EXE` 2025-06-04 18:11:03 +02:00			`modified: 2025-06-04`
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`- attack.t1027`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_img:`
			`- Image\|endswith: '\certutil.exe'`
			`- OriginalFileName: 'CertUtil.exe'`
			`selection_cli:`
$frack113$ Merge PR #4752 from @frack113 - Update rules to use the `windash` modifier 2024-03-11 12:01:30 +01:00			`CommandLine\|contains\|windash:`
			`- '-decode ' # Decode Base64`
			`- '-decodehex ' # Decode Hex`
feat: update certutil rules 2023-02-15 19:53:51 +01:00			`condition: all of selection_*`
			`falsepositives:`
			`- Unknown`
Merge PR #5465 from @nasbench - Update `File Decoded From Base64/Hex Via Certutil.EXE` 2025-06-04 18:11:03 +02:00			`level: high`