A newer version is available. For the latest information, see the
current release documentation.
Encoding or Decoding Files via CertUtil
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Encoding or Decoding Files via CertUtil
editIdentifies the use of certutil.exe to encode or decode data. CertUtil is a
native Windows component which is part of Certificate Services. CertUtil is
often abused by attackers to encode or decode base64 data for stealthier command
and control or exfiltration.
Rule indices:
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Rule query
editevent.action:"Process Create (rule: ProcessCreate)" and
process.name:"certutil.exe" and process.args:("-encode" or
"/encode" or "-decode" or "/decode")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Deobfuscate/Decode Files or Information
- ID: T1140
- Reference URL: https://attack.mitre.org/techniques/T1140/