Try in Splunk Security Cloud


Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-24
  • Author: Michael Haag, Splunk
  • ID: 0bd01a54-8cbe-11eb-abcd-acde48001122


An example of obfuscated files is Certutil.exe usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.


Name Technique Type
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Windows CertUtil Decode File Deobfuscate/Decode Files or Information TTP


source | version: 1