This detection rule leverages the use of Certutil, a built-in Windows utility, to identify the encoding of files, which poses a security risk as threat actors may utilize this method to obfuscate data and evade detection mechanisms. Specifically, the rule captures events generated when processes invoke Certutil with the '-encode' or '-encodehex' parameters, which encode files and can serve to circumvent security defenses. The rule includes filtering for process and network connection events to ensure comprehensive monitoring of related activities. It aims to detect behaviors associated with known threat actors such as APT29 and BlackTech, as well as document the generation of obfuscated files in endpoint data. Utilizing Splunk queries, the detection aggregates relevant data points into a structured format, enabling analysts to swiftly identify potential threats.