This detection rule identifies the execution of CertUtil.exe with the flags "-decode" or "-decodehex". CertUtil is a command-line tool that is part of the Windows operating system, commonly used for managing certificates and CRLs (Certificate Revocation Lists). Attackers may exploit this tool to decode base64 or hex encoded payloads, often as a precursor to executing malicious code. By monitoring processes that utilize CertUtil in this manner, security teams can identify potential instances of privilege escalation or code execution that could indicate a compromise. The rule aims to capture any instances where CertUtil is invoked with these specific commands, signaling a possible evasion technique being used by threat actors. The detection employs a combination of conditions based on the image name and command line arguments to ensure precise identification of potentially malicious activity.