EXPLORE
Sign In
← Back to Explore
T1140

Deobfuscate/Decode Files or Information

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable e...

ESXiLinuxmacOSWindows
55
Detections
4
Sources
38
Threat Actors

BY SOURCE

37elastic14sigma2crowdstrike_cql2splunk_escu

PROCEDURES (38)

Amsi6 detections

Auto-extracted: 6 detections for amsi

Bypass4 detections

Auto-extracted: 4 detections for bypass

Base644 detections

Auto-extracted: 4 detections for base64

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Token2 detections

Auto-extracted: 2 detections for token

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

Bypass1 detections

Auto-extracted: 1 detections for bypass

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Http1 detections

Auto-extracted: 1 detections for http

Unusual1 detections

Auto-extracted: 1 detections for unusual

Download1 detections

Auto-extracted: 1 detections for download

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Unusual1 detections

Auto-extracted: 1 detections for unusual

Amsi1 detections

Auto-extracted: 1 detections for amsi

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Block1 detections

Auto-extracted: 1 detections for script block

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Child Process1 detections

Auto-extracted: 1 detections for child process

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Container1 detections

Auto-extracted: 1 detections for container

Inject1 detections

Auto-extracted: 1 detections for inject

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Base641 detections

Auto-extracted: 1 detections for base64

Download1 detections

Auto-extracted: 1 detections for download

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Http1 detections

Auto-extracted: 1 detections for http

Container1 detections

Auto-extracted: 1 detections for container

Evasion1 detections

Auto-extracted: 1 detections for evasion

THREAT ACTORS (38)

AgriusAPT19APT28APT38APT39BlackByteBRONZE BUTLERCinnamon TempestDarkhotelEarth LuscaFIN13FIN7Gamaredon GroupGorgon GroupHigaisaKe3changKimsukyLazarus GroupLeviathanMalteiromenuPassMoleratsMoonstone SleetMuddyWaterMustang PandaOilRigRockeSandworm TeamStorm-1811TA505TeamTNTThreat Group-3390Tropic TrooperTurlaVolt TyphoonWinter VivernWIRTEZIRCONIUM

DETECTIONS (55)

Base16 or Base32 Encoding/Decoding Activity
elasticmedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Base64 Encoded PowerShell Command Detected
sigmahigh
CertUtil With Decode Argument
splunk_escu
Command Line Obfuscation via Whitespace Padding
elasticmedium
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Deprecated - Encoded Executable Stored in the Registry
elasticmedium
Deprecated - Potential PowerShell Obfuscated Script
elasticlow
DNS-over-HTTPS Enabled by Registry
sigmamedium
Dynamic IEX Reconstruction via Method String Access
elasticlow
Encoded Payload Detected via Defend for Containers
elasticmedium
Execution via OpenClaw Agent
elasticmedium
InstallFix on macOS
crowdstrike_cql
Kernel Unpacking Activity
elasticmedium
Linux Auditd Base64 Decode Files
splunk_escu
Linux Base64 Encoded Pipe to Shell
sigmamedium
Linux Base64 Encoded Shebang In CLI
sigmamedium
Linux Shell Pipe to Shell
sigmamedium
LOLBin Certutil
crowdstrike_cql
MSHTA Execution with Suspicious File Extensions
sigmahigh
Multi-Base64 Decoding Attempt from Suspicious Location
elasticmedium
Payload Decoded and Decrypted via Built-in Utilities
sigmamedium
Ping Hex IP
sigmahigh
Potential Base64 Decoded From Images
sigmahigh
Potential Commandline Obfuscation Using Escape Characters
sigmamedium
Potential Dynamic IEX Reconstruction via Environment Variables
elasticmedium
Potential Hex Payload Execution via Command-Line
elasticlow
Potential Hex Payload Execution via Common Utility
elasticlow
Potential PowerShell Obfuscated Script via High Entropy
elasticlow
Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
elastichigh
Potential PowerShell Obfuscation via Character Array Reconstruction
elastichigh
Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
elastichigh
Potential PowerShell Obfuscation via High Numeric Character Proportion
elasticlow
Potential PowerShell Obfuscation via Invalid Escape Sequences
elasticmedium
Potential PowerShell Obfuscation via Reverse Keywords
elasticlow
Potential PowerShell Obfuscation via Special Character Overuse
elasticmedium
Potential PowerShell Obfuscation via String Concatenation
elastichigh
Potential PowerShell Obfuscation via String Reordering
elasticmedium
PowerShell Base64 Encoded FromBase64String Cmdlet
sigmahigh
PowerShell Decompress Commands
sigmainformational
PowerShell Obfuscation via Negative Index String Reversal
elasticlow
PowerShell Script with Encryption/Decryption Capabilities
elasticmedium
PowerShell Suspicious Payload Encoded and Compressed
elastichigh
ROT Encoded Python Script Execution
elasticmedium
Suspicious .NET Reflection via PowerShell
elasticmedium
Suspicious CertUtil Commands
elasticmedium
Suspicious Content Extracted or Decompressed via Funzip
elasticmedium
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious Inbox Manipulation Rules
sigmahigh
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious Windows Powershell Arguments
elasticmedium
Suspicious XOR Encoded PowerShell Command
sigmamedium
Unusual Base64 Encoding/Decoding Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow