detection.wiki

Obfuscated Files or Information T1027

Tactic: Stealth

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Events covered

28 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 5Process terminated
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4658The handle to an object was closed.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5038Code integrity determined that the image hash of a file is not valid.
Security-AuditingEvent ID 5379Credential Manager credentials were read.
Security-AuditingEvent ID 6281Code Integrity determined that the page hashes of an image file are not valid.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceProcessEventsanyProcess activity (any)
ESFexecProcess Execution (Notify)
Linux-AuditdEvent ID 1309EXECVE
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7045A service was installed in the system.
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 242 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (97 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine103contains 68, regex_match 26, match 16, wildcard 9, is_not_null 4, in 3, ends_with 1, eq 1, length_compare 1(?i)(copy|more|Get-Content|type|cat|gc)\s+.*?((\/b\s+\S+\..., (?i)-encode, (?i)CreateDecryptor, -d, -encode
Image45ends_with 36, contains 5, eq 4, is_null 2, regex_match 2, is_not_null 1, starts_with 1, wildcard 1\powershell.exe, \pwsh.exe, \certutil.exe, \cmd.exe, \csc.exe
EventID41eq 414688, 4104, 1, 4103, 11
process_name33eq 16, in 13, starts_with 8, match 6, wildcard 2base16, base32, base64, (?i)certutil, powershell.exe
OriginalFileName31eq 29, contains 1, in 1powershell.exe, pwsh.dll, certutil.exe, powershell_ise.exe, csc.exe
ScriptBlockText29contains 17, regex_match 8, eq 6, in 5, ends_with 1, match 1frombase64string, &&, -value (-join(, "(\{\d\}){2,}"\s*-f, $env:comspec[4
event.type23eq 22, in 1start, change, creation
EventType20eq 11, in 7, ne 2, contains 1exec, ProcessRollup2, exec_event, IntrusionEvent, FileEvent
process.args14eq 12, wildcard 5, contains 3, starts_with 3, in 2, ends_with 1-c, *-*d*, -r, $*$*;set-alias, &&
ImagePath12contains 11, match 2, regex_match 1&&, /c, -f, "set, $
Payload12regex_match 7, contains 5, ends_with 1&&, (?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c, (?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*", (?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?), (window.close)
ServiceFileName12contains 11, match 1, regex_match 1&&, -f, /c, /c , /r
Type12eq 12
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Provider_Name10eq 10Service Control Manager

Top indicator values (1597 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
22606
EventIDeq
4688
15313
EventIDeq
4104
11268
EventIDeq
1
9237
EventIDeq
4103
7105
Imageends_with
\powershell.exe
13182
Imageends_with
\pwsh.exe
12168
Imageends_with
\certutil.exe
843
OriginalFileNameeq
powershell.exe
13120
OriginalFileNameeq
pwsh.dll
13112
OriginalFileNameeq
certutil.exe
821
Provider_Nameeq
Service Control Manager
1050
event.categoryeq
process
9128
Esql.script_block_lengthgt
500
66
Esql.script_block_pattern_countge
1
66
EventTypein
ProcessRollup2
6117
EventTypein
exec
6171
EventTypein
exec_event
5139
EventTypein
start
5134
process.argseq
-c
630
process.argseq
-e
515
process_namein
base16
66
process_namein
base32
67
process_namein
base64
68
process_namein
base64mime
55
process_namein
base64pem
55
process_namein
base64plain
55
process_namestarts_with
python
631
CommandLinecontains
urlcache
55
CommandLinecontains
verifyctl
55

Exclusions (257 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
4
CurrentDirectorywildcard
/opt/zeek
2
CurrentDirectorywildcard
/proc/self/fd/*/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek_old_install
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/opt/zeek
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/usr/local/zeek
2
ParentCommandLinecontains
\programdata\microsoft\windows defender advanced threat protection
2
ParentCommandLinecontains
caewaiagyayqbpagwazqbkaciaogb0ahiadqblacwaigbtahmazwaiadoaigbbag4acwbpagiabab...
2
ParentCommandLinecontains
extendedglob
2
ParentCommandLinecontains
jwb7aciazgbhagkabablagqaiga6ahqacgb1agualaaiag0acwbnaciaogaiaeeabgbzagkaygbsa...
2
ParentCommandLinecontains
nahsaigbmageaaqbsaguazaaiadoadabyahuazqasaciabqbzagcaiga6aciaqqbuahmaaqbiagwa...
2
ParentImageeq
c:\programdata\chocolatey\choco.exe
2
ParentImageeq
c:\windows\system32\inetsrv\w3wp.exe
2
ParentImageeq
c:\windows\system32\sdiagnhost.exe
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 128 rules

Elastic 47 rules

Splunk 53 rules

Kusto 11 rules

YARA-L 2 rules

Panther 1 rule