title: Deobfuscate or Decode Files
description: Detect certutil encoding and decoding of executables,
  or use of renamed certutil.exe for bypassing detections.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1140
   subtechnique: 
operating_system: windows
query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
  ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
  OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
false_positives: 
tags: