Obfuscated Files or Information T1027

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Events covered

24 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 200 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (62 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine91contains 57, regex_match 26, match 15, is_not_null 4, wildcard 4, in 3, ends_with 1, eq 1(?i)(copy|more|Get-Content|type|cat|gc)\s+.*?((\/b\s+\S+\..., (?i)-encode, (?i)CreateDecryptor, -encode, tvqqaamaaaaeaaa
EventID41eq 414688, 4104, 1, 4103, 11
Image39ends_with 33, contains 4, eq 3, is_null 2, regex_match 2, starts_with 1, wildcard 1\powershell.exe, \pwsh.exe, \certutil.exe, \cmd.exe, \csc.exe
OriginalFileName31eq 29, contains 1, in 1powershell.exe, pwsh.dll, certutil.exe, powershell_ise.exe, csc.exe
ScriptBlockText24contains 16, regex_match 8, ends_with 1, eq 1, in 1, match 1&&, frombase64string, -value (-join(, "(\{\d\}){2,}"\s*-f, ${env:path}
process_name20eq 12, match 6, in 3(?i)certutil, powershell.exe, cmd.exe, csc.exe, powershell_ise.exe
ImagePath12contains 11, match 2, regex_match 1&&, /c, -f, "set, $
Payload12regex_match 7, contains 5, ends_with 1&&, (?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c, (?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*", (?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?), (window.close)
ServiceFileName12contains 11, match 1, regex_match 1&&, -f, /c, /c , /r
Type12eq 12
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Provider_Name10eq 10Service Control Manager
Esql.script_block_length9gt 9500, 1000
TargetFilename8ends_with 4, contains 2, regex_match 1, starts_with 1, wildcard 1.cmdline, .exe, /run/systemd/units/invocation:systemd-fsck@, /sys/firmware/, /var/log/journal/
event.type8eq 7, in 1start, change, creation

Top indicator values (1177 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4688
15312
EventIDeq
4104
11268
EventIDeq
1
9232
EventIDeq
4103
7105
EventIDeq
11
323
Imageends_with
\powershell.exe
13186
Imageends_with
\pwsh.exe
12172
Imageends_with
\certutil.exe
844
Imageends_with
\cmd.exe
3134
OriginalFileNameeq
powershell.exe
13121
OriginalFileNameeq
pwsh.dll
13112
OriginalFileNameeq
certutil.exe
821
OriginalFileNameeq
powershell_ise.exe
451
Provider_Nameeq
Service Control Manager
1050
event.typeeq
start
7241
Esql.script_block_lengthgt
500
66
Esql.script_block_lengthgt
1000
33
Esql.script_block_pattern_countge
1
66
CommandLinecontains
urlcache
55
CommandLinecontains
verifyctl
55
CommandLinecontains
-encode
33
CommandLinecontains
tvqqaamaaaaeaaa
33
CommandLinecontains
url
33
ImagePathcontains
cmd
45
ServiceFileNamecontains
cmd
45
process_nameeq
powershell.exe
499
process_namematch
(?i)certutil
44
CommandLinematch
(?i)-encode
33
CommandLineregex_match
(?i)(copy|more|Get-Content|type|cat|gc)\s+.*?((\/b\s+\S+\.dll\s+\+\s*\S+\.dll...
33
CommandLineregex_match
(?i)CreateDecryptor
33

Exclusions (150 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ParentCommandLinecontains
\programdata\microsoft\windows defender advanced threat protection
2
ParentCommandLinecontains
caewaiagyayqbpagwazqbkaciaogb0ahiadqblacwaigbtahmazwaiadoaigbbag4acwbpagiabab...
2
ParentCommandLinecontains
jwb7aciazgbhagkabablagqaiga6ahqacgb1agualaaiag0acwbnaciaogaiaeeabgbzagkaygbsa...
2
ParentCommandLinecontains
nahsaigbmageaaqbsaguazaaiadoadabyahuazqasaciabqbzagcaiga6aciaqqbuahmaaqbiagwa...
2
ParentImageeq
c:\programdata\chocolatey\choco.exe
2
ParentImageeq
c:\windows\system32\inetsrv\w3wp.exe
2
ParentImageeq
c:\windows\system32\sdiagnhost.exe
2
ParentImagestarts_with
c:\program files (x86)\
2
ParentImagestarts_with
c:\program files\
2
parent_process_nameregex_match
(?i)(^C:\x5cProgram\sFiles)|(sdiagnhost|w3wp|choco)\.exe
2
CommandLinecontains
-enc
1
CommandLinecontains
-encodedcommand
1
CommandLinecontains
-ma
1
CommandLinecontains
-n
1
CommandLinecontains
${env:path}
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 118 rules

Elastic 23 rules

Splunk 48 rules

Kusto 9 rules

YARA-L 2 rules