This detection rule identifies when the Windows command-line utility `certutil.exe` is executed with the `encode` flag to convert a file into Base64 format. Threat actors may misuse this functionality for data exfiltration, encapsulating sensitive information in a format that can easily be transferred over protocols that may not support binary data directly. Detection is achieved by monitoring process creation events and inspecting the command line arguments used during execution. The compatibility of the detection is relevant to the Windows operating environment, particularly for hosting and monitoring on systems where unauthorized data manipulation could occur. Given that legitimate uses of the `certutil -encode` functionality are common in administrative tasks, this rule may yield some false positives, suggesting the need for careful context evaluations in incident responses.