detection.wiki

Deobfuscate/Decode Files or Information T1140

Tactic: Stealth

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

Events covered

12 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 5Process terminated
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Defender-DeviceProcessEventsanyProcess activity (any)
ESFexecProcess Execution (Notify)
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 79 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (56 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine33contains 27, wildcard 6, match 5, ends_with 4, is_not_null 4, regex_match 4, length_compare 1, starts_with 1decode, tvqqaamaaaaeaaa, |sh, (?i)-decode, *-*d*
event.type19eq 19start
process_name17eq 8, in 8, starts_with 6, wildcard 3, match 2base16, base32, base64, (?i)certutil, bash
EventType15eq 7, in 6, ne 2exec, ProcessRollup2, exec_event, deletion, fork
Image13ends_with 10, starts_with 2, regex_match 1/openssl, /wget, \certutil.exe, (system32|syswow64)\\windowspowershell\\v1\.0\\powershell..., /bash
process.args13eq 10, contains 5, starts_with 5, wildcard 5, in 4-c, *-*d*, -d, $*$*;set-alias, &{'
host.os.type12eq 11, in 1
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Esql.script_block_length9gt 9500, 1000
ScriptBlockText9contains 5, in 4, eq 3, match 1$env:comspec[4, $pshome[, $shellid[, +, .createdecryptor
EventID8eq 84688, 1
event.category7eq 7process
file.directory5is_null 5
parent_process_name5eq 2, in 2, ends_with 1explorer.exe, \WmiPrvSE.exe, cmd.exe, cupsd, foomatic-rip
OriginalFileName4eq 4certutil.exe, mshta.exe, powershell.exe, pwsh.dll

Top indicator values (801 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
19606
EventTypeeq
exec
7171
event.categoryeq
process
7128
process.argseq
-c
730
process.argseq
-e
615
Esql.script_block_lengthgt
500
66
Esql.script_block_lengthgt
1000
33
Esql.script_block_pattern_countge
1
66
EventIDeq
4688
6313
EventTypein
ProcessRollup2
6117
EventTypein
exec
6171
EventTypein
exec_event
5139
EventTypein
start
5134
process_namein
base16
66
process_namein
base32
67
process_namein
base64
58
process_namein
base64mime
55
process_namein
base64pem
55
process_namein
base64plain
55
process_namein
base64url
55
process_namestarts_with
perl
520
process_namestarts_with
python
531
process_namestarts_with
ruby
521
CommandLinecontains
decode
45
CommandLinecontains
tvqqaamaaaaeaaa
33
container.idstarts_with
?
422
process.argscontains
base64
44
Mutedeq
false
33
process.interactiveeq
true
342
process_namewildcard
bash
314

Exclusions (129 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
3
CurrentDirectorywildcard
/opt/zeek
2
CurrentDirectorywildcard
/proc/self/fd/*/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek_old_install
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/opt/zeek
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/usr/local/zeek
2
ParentCommandLinecontains
extendedglob
2
parent_process_nameeq
zsh
2
CommandLinecontains
& {$j = sajb {add-type -assemblyname
1
CommandLinecontains
https://10.
1
CommandLinecontains
https://127.
1
CommandLinecontains
https://169.254.
1
CommandLinecontains
https://172.16.
1
CommandLinecontains
https://172.17.
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 20 rules

Elastic 40 rules

Splunk 6 rules

Kusto 12 rules

YARA-L 1 rule