Try in Splunk Security Cloud

Description

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-24
  • Author: Michael Haag, Splunk
  • ID: 0bd01a54-8cbe-11eb-abcd-acde48001122

Narrative

An example of obfuscated files is Certutil.exe usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.

Detections

Name Technique Type
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP

Reference

source | version: 1