Analytics Story: Deobfuscate-Decode Files or Information

Date: 2021-03-24 ID: 0bd01a54-8cbe-11eb-abcd-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

Why it matters

An example of obfuscated files is Certutil.exe usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://attack.mitre.org/techniques/T1140/

Source: GitHub | Version: 1