T1027

Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption.

Microsoft Sentinel / Defender

kusto

let EncodingTools = dynamic(["certutil", "certutil.exe"]);
let EncodingFlags = dynamic(["-decode", "-decodehex", "-encodehex", "-urlcache", "-urlcache -split -f"]);
let SuspiciousEncodingPatterns = dynamic([
  "[Convert]::FromBase64String",
  "[System.Convert]::FromBase64String",
  "[Convert]::ToBase64String",
  "FromBase64String",
  "ToBase64String",
  "-EncodedCommand",
  "-enc ",
  "-e ",
  "-ec ",
  "certutil.*-decode",
  "certutil.*-encodehex"
]);
let ObfuscationIndicators = dynamic([
  "chr(", "chr (",
  "[char]",
  "\\x",
  "0x",
  "HEX:",
  "bxor",
  "-bxor",
  "XOR"
]);
let CompressionTools = dynamic([
  "compress-archive",
  "expand-archive",
  "io.compression",
  "zipfile",
  "7z.exe",
  "7za.exe",
  "rar.exe"
]);
// Branch 1: Certutil used for encoding/decoding (classic LOLBin obfuscation)
let CertutilObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-decode", "-decodehex", "-encodehex", "-urlcache")
| extend ObfuscationMethod = "certutil_encoding"
| extend RiskScore = 3;
// Branch 2: PowerShell Base64 operations outside common admin patterns
let PowerShellBase64 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "[Convert]::FromBase64String",
    "[System.Convert]::FromBase64String",
    "FromBase64String",
    "-EncodedCommand",
    "-enc ",
    "bxor",
    "-bxor"
  )
| extend ObfuscationMethod = "powershell_base64_or_xor"
| extend RiskScore = 2;
// Branch 3: Wscript/Cscript executing scripts with obfuscated content indicators
let ScriptObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
    "chr(",
    "[char]",
    "String.fromCharCode",
    "unescape(",
    "escape(",
    "eval("
  )
| extend ObfuscationMethod = "script_charcode_obfuscation"
| extend RiskScore = 2;
// Branch 4: cmd.exe with excessive ^ or % variable expansion obfuscation
let CmdObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]{1}){4,}"
   or (ProcessCommandLine matches regex @"(%[a-zA-Z_][a-zA-Z0-9_]*:~[0-9,]+%){3,}")
| extend ObfuscationMethod = "cmd_caret_or_var_obfuscation"
| extend RiskScore = 3;
// Union all branches
CertutilObfuscation
| union PowerShellBase64
| union ScriptObfuscation
| union CmdObfuscation
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ObfuscationMethod, RiskScore
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows
IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts
Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations
Backup and archiving software may use certutil or 7-zip with password flags that superficially resemble obfuscation patterns
Web developers may use JavaScript unescape() or String.fromCharCode() in test scripts that get executed via cscript.exe during CI/CD

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\certutil.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\cmd.exe")
| eval CommandLineLower=lower(CommandLine)
| eval CertutilDecode=if(match(Image, "certutil\.exe") AND match(CommandLineLower, "(-decode|-decodehex|-encodehex|-urlcache)"), 1, 0)
| eval PowerShellBase64=if(match(Image, "(powershell|pwsh)\.exe") AND match(CommandLineLower, "(frombase64string|tobase64string|-encodedcommand|-enc\s+|-ec\s+|bxor|-bxor)"), 1, 0)
| eval ScriptCharCode=if(match(Image, "(wscript|cscript|mshta)\.exe") AND match(CommandLineLower, "(chr\(|string\.fromcharcode|unescape\(|escape\(|eval\()"), 1, 0)
| eval CmdCaretObfusc=if(match(Image, "cmd\.exe") AND match(CommandLine, "(\^[a-zA-Z0-9]){4,}"), 1, 0)
| eval CmdVarObfusc=if(match(Image, "cmd\.exe") AND match(CommandLine, "(%[a-zA-Z_][a-zA-Z0-9_]*:~[0-9]+,[0-9]+%){3,}"), 1, 0)
| eval ObfuscationScore=CertutilDecode + PowerShellBase64 + ScriptCharCode + CmdCaretObfusc + CmdVarObfusc
| eval ObfuscationMethods=mvappend(
    if(CertutilDecode=1, "certutil_encode_decode", null()),
    if(PowerShellBase64=1, "ps_base64_xor", null()),
    if(ScriptCharCode=1, "script_charcode", null()),
    if(CmdCaretObfusc=1, "cmd_caret", null()),
    if(CmdVarObfusc=1, "cmd_var_substring", null())
  )
| where ObfuscationScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        CertutilDecode, PowerShellBase64, ScriptCharCode, CmdCaretObfusc, CmdVarObfusc,
        ObfuscationMethods, ObfuscationScore
| sort - ObfuscationScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software build pipelines and CI/CD agents routinely use certutil and PowerShell Base64 for encoding configuration artifacts
IT management platforms (SCCM, PDQ, Ansible) pass encoded parameters to PowerShell for safe string handling during software deployment
Security analysts running detection engineering or malware triage scripts on designated analysis machines
Developer workstations where JavaScript unescape() or eval() calls appear in test/debug scripts run via cscript.exe
Backup software and archive tools that combine compression with Base64 encoding for transport

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  (
    (
      process.name : "certutil.exe" and
      process.args : ("-decode", "-decodehex", "-encodehex", "-urlcache")
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*FromBase64String*", "*ToBase64String*",
        "*-EncodedCommand*", "*-enc *", "*-ec *",
        "*bxor*", "*-bxor*"
      )
    ) or
    (
      process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
      process.command_line : (
        "*chr(*", "*String.fromCharCode*",
        "*unescape(*", "*escape(*", "*eval(*"
      )
    ) or
    (
      process.name : "cmd.exe" and
      process.command_line : ("*^?^?^?^?*", "*%*:~*,*%*:~*,*%*:~*")
    )
  )
]

/* Alternative non-sequence query for broader coverage */
/* process where event.type == "start" and
  process.name : ("certutil.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe") and
  (
    (process.name : "certutil.exe" and process.command_line : ("-decode", "-decodehex", "-encodehex", "-urlcache")) or
    (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*FromBase64String*", "*-EncodedCommand*", "*-enc *", "*bxor*")) or
    (process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and process.command_line : ("*chr(*", "*String.fromCharCode*", "*eval(*")) or
    (process.name : "cmd.exe" and process.command_line regex~ "(\^[a-zA-Z0-9]){4,}")
  )
*/

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with endpoint integration Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Certutil used by IT admins or SCCM/ConfigMgr to decode legitimate certificate files during PKI operations
PowerShell scripts by developers using Base64 encoding for legitimate data serialization or configuration management
Web developers or build systems using escape()/unescape() functions in legacy JS via cscript during build pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "TargetUserName",
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "CommandLine",
  "ParentCommandLine",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR
      LOWER("CommandLine") LIKE '%-decodehex%' OR
      LOWER("CommandLine") LIKE '%-encodehex%' OR
      LOWER("CommandLine") LIKE '%-urlcache%'
    ) THEN 'certutil_encode_decode'
    WHEN (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR
      LOWER("CommandLine") LIKE '%tobase64string%' OR
      LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%-enc %' OR
      LOWER("CommandLine") LIKE '%bxor%'
    ) THEN 'powershell_base64_xor'
    WHEN (LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR
      LOWER("CommandLine") LIKE '%string.fromcharcode%' OR
      LOWER("CommandLine") LIKE '%unescape(%' OR
      LOWER("CommandLine") LIKE '%eval(%'
    ) THEN 'script_charcode_obfuscation'
    WHEN LOWER("Image") LIKE '%cmd.exe' AND (
      "CommandLine" LIKE '%^_^_^_^_%' OR
      "CommandLine" LIKE '%%*:~*,*%*:~*,*%%'
    ) THEN 'cmd_caret_or_var_obfuscation'
    ELSE 'unknown'
  END AS obfuscation_method
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 433)
  AND (
    ("EventID" = '1' OR "EventID" = '4688')
  )
  AND (
    LOWER("Image") LIKE '%certutil.exe' OR
    LOWER("Image") LIKE '%powershell.exe' OR
    LOWER("Image") LIKE '%pwsh.exe' OR
    LOWER("Image") LIKE '%wscript.exe' OR
    LOWER("Image") LIKE '%cscript.exe' OR
    LOWER("Image") LIKE '%mshta.exe' OR
    LOWER("Image") LIKE '%cmd.exe'
  )
  AND (
    (LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-encodehex%' OR LOWER("CommandLine") LIKE '%-urlcache%'
    )) OR
    ((LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%-enc %'
    )) OR
    ((LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR LOWER("CommandLine") LIKE '%fromcharcode%' OR LOWER("CommandLine") LIKE '%eval(%'
    )) OR
    (LOWER("Image") LIKE '%cmd.exe' AND LOWER("CommandLine") LIKE '%^%^%^%^%')
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

QRadar SIEM with Windows Sysmon log source (LOGSOURCETYPEID 433) Windows Security Event log source (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

System administrators using certutil for PKI certificate management or WSUS operations that involve file decode steps
Automated deployment pipelines (Ansible, Chef, Puppet) that pass Base64-encoded configuration blobs via PowerShell
Legacy web automation scripts using cscript with eval() or String.fromCharCode() for encoding compatibility

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("1", "4688")
| where Image matches "*certutil.exe" OR Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
   OR Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe"
   OR Image matches "*cmd.exe"
| eval cmd_lower = toLowerCase(CommandLine)
| eval certutil_flag = if (Image matches "*certutil.exe" AND (
    cmd_lower matches "-decode" OR cmd_lower matches "-decodehex" OR
    cmd_lower matches "-encodehex" OR cmd_lower matches "-urlcache"
  ), 1, 0)
| eval ps_base64_flag = if ((Image matches "*powershell.exe" OR Image matches "*pwsh.exe") AND (
    cmd_lower matches "*frombase64string*" OR cmd_lower matches "*tobase64string*" OR
    cmd_lower matches "*-encodedcommand*" OR cmd_lower matches "*-enc *" OR
    cmd_lower matches "*bxor*" OR cmd_lower matches "*-bxor*"
  ), 1, 0)
| eval script_charcode_flag = if ((Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe") AND (
    cmd_lower matches "*chr(*" OR cmd_lower matches "*string.fromcharcode*" OR
    cmd_lower matches "*unescape(*" OR cmd_lower matches "*eval(*"
  ), 1, 0)
| eval cmd_caret_flag = if (Image matches "*cmd.exe" AND (
    CommandLine matches "*^?^?^?^?*"
  ), 1, 0)
| eval obfuscation_score = certutil_flag + ps_base64_flag + script_charcode_flag + cmd_caret_flag
| where obfuscation_score > 0
| eval obfuscation_methods = concat(
    if(certutil_flag = 1, "certutil_encode_decode,", ""),
    if(ps_base64_flag = 1, "ps_base64_xor,", ""),
    if(script_charcode_flag = 1, "script_charcode,", ""),
    if(cmd_caret_flag = 1, "cmd_caret,", "")
  )
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine,
    certutil_flag, ps_base64_flag, script_charcode_flag, cmd_caret_flag,
    obfuscation_methods, obfuscation_score
| sort by obfuscation_score desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic with Windows Sysmon data ingestion Windows Security Event Log via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software packaging scripts that use certutil to decode embedded payloads during legitimate software installation processes
Security tooling and EDR products that use PowerShell with Base64-encoded health check or telemetry scripts
Oracle, SAP, or other enterprise software maintenance scripts that leverage cscript/wscript with eval() for legacy compatibility

Google Chronicle / SecOps

yaral

rule t1027_obfuscated_files_or_information {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027 Obfuscated Files or Information — certutil encode/decode, PowerShell Base64/XOR, script charcode obfuscation, cmd caret/variable expansion."
    mitre_attack_technique = "T1027"
    mitre_attack_tactic = "Defense Evasion"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    reference = "https://attack.mitre.org/techniques/T1027/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: certutil encode/decode
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(-decode|-decodehex|-encodehex|-urlcache)`)
      ) or

      // Branch 2: PowerShell Base64/XOR
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(FromBase64String|ToBase64String|-EncodedCommand|-enc\s+|-ec\s+|bxor|-bxor)`)
      ) or

      // Branch 3: Script engines with charcode obfuscation
      (
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript|mshta)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(chr\(|String\.fromCharCode|unescape\(|escape\(|eval\()`)
      ) or

      // Branch 4: cmd.exe caret obfuscation
      (
        re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(\^[a-zA-Z0-9]){4,}`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon UDM ingestion Chronicle with Endpoint Detection sensor data

Required Tables

UDM process events (metadata.event_type = PROCESS_LAUNCH)

False Positives

PKI administration tasks where certutil.exe legitimately decodes certificate enrollment responses or tests certificate chains
Automated Windows administration via PowerShell DSC or scheduled tasks using -EncodedCommand for multiline scripts passed through Task Scheduler
Legacy batch scripts from enterprise software vendors (e.g., Oracle Forms, SAP) that use cmd caret escaping for special character handling in install scripts

CrowdStrike LogScale (CQL)

cql

// T1027 - Obfuscated Files or Information
// CrowdStrike LogScale (CQL) - Falcon ProcessRollup2 events

#event_simpleName=ProcessRollup2
| FileName = /(?i)(certutil|powershell|pwsh|wscript|cscript|mshta|cmd)\.exe$/

// Certutil encode/decode
| eval certutil_flag = if(
    FileName = /(?i)certutil\.exe$/ AND CommandLine = /(?i)(-decode|-decodehex|-encodehex|-urlcache)/,
    1, 0
  )

// PowerShell Base64/XOR
| eval ps_base64_flag = if(
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND
    CommandLine = /(?i)(FromBase64String|ToBase64String|-EncodedCommand|-enc\s|-ec\s|bxor|-bxor)/,
    1, 0
  )

// Script charcode obfuscation
| eval script_charcode_flag = if(
    FileName = /(?i)(wscript|cscript|mshta)\.exe$/ AND
    CommandLine = /(?i)(chr\(|String\.fromCharCode|unescape\(|escape\(|eval\()/,
    1, 0
  )

// cmd.exe caret obfuscation
| eval cmd_caret_flag = if(
    FileName = /(?i)cmd\.exe$/ AND
    CommandLine = /(\^[a-zA-Z0-9]){4,}/,
    1, 0
  )

| eval obfuscation_score = certutil_flag + ps_base64_flag + script_charcode_flag + cmd_caret_flag
| where obfuscation_score > 0

| eval obfuscation_methods = array:concat(
    if(certutil_flag = 1, ["certutil_encode_decode"], []),
    if(ps_base64_flag = 1, ["ps_base64_xor"], []),
    if(script_charcode_flag = 1, ["script_charcode"], []),
    if(cmd_caret_flag = 1, ["cmd_caret"], [])
  )

| table(
    [@timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine,
     certutil_flag, ps_base64_flag, script_charcode_flag, cmd_caret_flag,
     obfuscation_methods, obfuscation_score],
    sortby=obfuscation_score,
    order=desc,
    limit=1000
  )

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale with Falcon sensor ProcessRollup2 events

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Patch management solutions (SCCM, Intune, Ivanti) invoking certutil to download and decode update packages as part of legitimate software distribution workflows
DevOps CI/CD pipelines using PowerShell with -EncodedCommand to pass complex multiline build scripts through Azure DevOps or Jenkins agents
System hardening or compliance scripts from vendors like CIS-CAT or Tenable that use cmd.exe with variable expansion for dynamic environment detection

Last updated: 2026-04-14 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Obfuscated Files or Information

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (17)

Same Tactic: Defense Evasion

Popular Detections