Deobfuscate/Decode Files or Information T1140

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

Events covered

10 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 44 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine23contains 19, match 5, is_not_null 4, regex_match 4, ends_with 2, wildcard 1decode, tvqqaamaaaaeaaa, (?i)-decode, .decode('base64'), .decode64(
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Image10ends_with 8, regex_match 1, starts_with 1/wget, \certutil.exe, (system32|syswow64)\\windowspowershell\\v1\.0\\powershell..., /openssl, \mshta.exe
Esql.script_block_length9gt 9500, 1000
EventID8eq 84688, 1
process_name6eq 4, match 2(?i)certutil, certutil.exe, cmd.exe, powershell.exe
ScriptBlockText5contains 4, match 1+, `, char, rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcenn..., {0}
file.directory5is_null 5
OriginalFileName4eq 4certutil.exe, mshta.exe, powershell.exe, pwsh.dll
Esql.script_block_ratio3gt 2, ge 10.35, 0.5, 0.75
event.type3eq 3start
parent_process_name3ends_with 1, eq 1, in 1explorer.exe, \WmiPrvSE.exe, cmd.exe, mobsync.exe
process.args3eq 3, starts_with 1, wildcard 1$*$*;set-alias, &{', -CommandParamVariation, /b, >
Details2eq 1, starts_with 1DWORD (0x00000001), TVqQAAMAAAAEAAAA, secure
EventData2contains 2.decode('base64'), .decode64(, base64 --decode, tvqqaamaaaaeaaa

Top indicator values (266 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Esql.script_block_lengthgt
500
66
Esql.script_block_lengthgt
1000
33
Esql.script_block_pattern_countge
1
66
Esql.script_block_pattern_countge
2
22
EventIDeq
4688
6312
EventIDeq
1
2232
CommandLinecontains
decode
34
CommandLinecontains
tvqqaamaaaaeaaa
33
CommandLinecontains
.decode('base64')
22
CommandLinecontains
.decode64(
22
CommandLinecontains
base64 --decode
22
CommandLinecontains
-single
1
CommandLinecontains
do start wordpad.exe /p
1
CommandLinecontains
--no-check-certificate
1
CommandLinecontains
-connect
1
CommandLinecontains
-encodedcommand
13
CommandLinecontains
-join
1
CommandLinecontains
-join"
1
CommandLinecontains
-join'
1
event.typeeq
start
3241
CommandLinematch
(?i)-decode
22
Imageends_with
/wget
25
Imageends_with
\certutil.exe
244
OriginalFileNameeq
certutil.exe
221
process_nameeq
certutil.exe
222
process_namematch
(?i)certutil
24
CleanProcessCommandLinecontains
decode
1
CleanProcessCommandLinecontains
encode
1
CleanProcessCommandLinecontains
url
1
CleanProcessCommandLinecontains
verify
1

Exclusions (35 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
& {$j = sajb {add-type -assemblyname
1
CommandLinecontains
https://10.
1
CommandLinecontains
https://127.
1
CommandLinecontains
https://169.254.
1
CommandLinecontains
https://172.16.
1
CommandLinecontains
https://172.17.
1
CommandLinecontains
https://172.18.
1
CommandLinecontains
https://172.19.
1
CommandLinecontains
https://172.20.
1
CommandLinecontains
https://172.21.
1
CommandLinecontains
https://172.22.
1
CommandLinecontains
https://172.23.
1
CommandLinecontains
https://172.24.
1
CommandLinecontains
https://172.25.
1
CommandLinecontains
https://172.26.
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 14 rules

Elastic 17 rules

Splunk 5 rules

Kusto 7 rules

YARA-L 1 rule