Intel Name: File decoded from base64/hex via certutil.exe
Date of Scan: June 5, 2025
Impact: Medium
Summary: “File Decoded From Base64/Hex Via Certutil.EXE” refers to the detection of the Windows utility certutil.exe being used with the -decode or -decodehex flags to convert base64 or hex-encoded data into executable files. While a legitimate tool, certutil is often abused by attackers to decode malicious payloads on a compromised system prior to execution, making this activity a strong indicator of potential post-exploitation behavior.
