Skip to content

Hide Navigation Hide TOC

File In Suspicious Location Encoded To Base64 Via Certutil.EXE (82a6714f-4899-4f16-9c1e-9a333544d4c3)

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Cluster A Galaxy A Cluster B Galaxy B Level
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern File In Suspicious Location Encoded To Base64 Via Certutil.EXE (82a6714f-4899-4f16-9c1e-9a333544d4c3) Sigma-Rules 1