Skip to content

Latest commit

 

History

History
79 lines (47 loc) · 3.21 KB

T1140.md

File metadata and controls

79 lines (47 loc) · 3.21 KB
Raw

T1140 - Deobfuscate/Decode Files or Information

Description from ATT&CK

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)

Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.

Atomic Tests


Atomic Test #1 - Deobfuscate/Decode Files Or Information

Encode/Decode executable

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
executable name of executable path C:\Windows\System32\calc.exe

Attack Commands: Run with command_prompt!

certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%T1140_calc_decoded.exe

Cleanup Commands:

del %temp%\T1140_calc.txt
del %temp%T1140_calc_decoded.exe


Atomic Test #2 - Certutil Rename and Decode

Rename certutil and decode a file. This is in reference to latest research by FireEye here

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
executable name of executable/file to decode path C:\Windows\System32\calc.exe

Attack Commands: Run with command_prompt!

copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -decode #{executable} %temp%\T1140.txt

Cleanup Commands:

del %temp%\tcm.tmp
del %temp%\T1140.txt