File Decoded From Base64/Hex Via Certutil.EXE (cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7)
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) | Attack Pattern | File Decoded From Base64/Hex Via Certutil.EXE (cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7) | Sigma-Rules | 1 |