File In Suspicious Location Encoded To Base64 Via Certutil.EXE

About the rule

Rule Type

Standard

Rule Description

Certutil.exe is a built-in Windows utility that attackers often misuse to encode files in Base64, typically to evade detection or prepare for exfiltration. This rule triggers when certutil.exe is used to encode a file located in suspicious directories—such as temporary folders, user profile subdirectories, or non-standard execution paths. Encoding files in these locations is uncommon during normal operations and may indicate malicious staging of data, obfuscation of payloads, or preparation for stealthy data exfiltration or delayed execution.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → LOLBins abuse → File dropped in suspicious directory → certutil.exe used to encode file to Base64 → Obfuscation or staging → File exfiltration or delayed execution → Persistence or lateral movement decoding/execution.

Impact

• Malware staging
• Defense evasion
• Data exfiltration
• Persistence

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're alerted to a file located in an unusual or high-risk directory being Base64-encoded using certutil.exe—a potential sign of data staging or exfiltration.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate administrative or developer activities where temporary or working files are encoded using certutil.exe for testing, configuration backups, or scripting purposes.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Determine who or what initiated the certutil.exe encoding. Examine the source file path and assess whether the directory is commonly used for legitimate purposes in your environment.
• Analysis: Inspect the encoded file’s origin, contents (if decoded), and surrounding activity. Look for signs of scripting, file staging, or correlation with other alerts such as file drops, downloads, or lateral movement.
• Response: Isolate the affected system, terminate any associated processes, and delete the encoded file. Block certutil.exe usage where not required and inspect nearby systems for signs of lateral movement.
• Restrict certutil.exe: Restrict certutil.exe usage via application control policies.

Mitigation