Suspicious File Encoded To Base64 Via Certutil.EXE

About the rule

Rule Type

Standard

Rule Description

Certutil.exe is a built-in Windows tool used for certificate and file management, but attackers often abuse it to encode malicious files in Base64 format. This technique helps obfuscate payloads, evade signature-based detection, and facilitate covert data exfiltration or staging for later execution. The rule detects instances where certutil.exe is used with the encode flag—especially when used on suspicious file types or in unusual directories. While encoding can serve legitimate purposes, its misuse by adversaries is a hallmark of living-off-the-land and stealthy post-exploitation tactics.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Living-off-the-land binary (LOLBins) abuse → certutil.exe used to encode file to Base64 → Obfuscation of malicious payload or preparation for exfiltration → File transfer or later decoding/execution → Persistence or data exfiltration

Impact

• Malware staging
• Defense evasion
• Data exfiltration
• Persistence
• Incident response delays

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information (T1027)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified of a file being encoded to Base64 using certutil.exe—a behavior often associated with data obfuscation or exfiltration preparation.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered by legitimate administrative or development activities where certutil.exe is used to encode files for backup, transport, or scripting purposes.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the command-line arguments passed to certutil.exe and identify the user, the source file, and the destination path to look for behaviour deviation.
• Analysis: Analyze file content and any follow-up activity such as decoding, execution, or file transfers. Correlate with recent alerts for signs of staging, exfiltration, or command-and-control (C2) setup.
• Response: Isolate the affected system, terminate any associated processes, and delete encoded payloads. Block further use of certutil.exe and inspect nearby systems for signs of lateral movement.
• Monitor certutil.exe: Restrict the use of certutil.exe to authorized users via group policies or application control.

Mitigation