Tag
This rule detects suspicious use of certutil.exe, a native Windows utility often abused by attackers for downloading/deobfuscating malware and exfiltrating data, by identifying commands involving decoding, encoding, URL caching, CTL verification, and PFX exporting, which are frequently used for command and control and defense evasion.