Encoding or Decoding Files via CertUtil¶
Find execution of the Windows tool certutil.exe to decode or encode files.
| id: | c6facc54-4894-4722-b873-062baaae851f |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1140 Deobfuscate/Decode Files or Information |
Query¶
process where subtype.create and
process_name == "certutil.exe" and
(command_line == "*encode *" or command_line == "*decode *")