Analytics Story: Deobfuscate-Decode Files or Information

Description

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

Why it matters

An example of obfuscated files is Certutil.exe usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1