Which SIEM platforms have a T1027 detection rule?

df00tech provides T1027 (Obfuscated Files or Information) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Obfuscated Files or Information (T1027)?

Detecting Obfuscated Files or Information requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1027 detection?

The T1027 detection is rated medium severity with medium confidence.

What are common false positives for T1027?

Common false positives for T1027 include: Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows; IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts; Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations.

T1027

Obfuscated Files or Information

Defense Evasion Last updated: April 14, 2026

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption.

What is T1027 Obfuscated Files or Information?

Obfuscated Files or Information (T1027) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Obfuscated Files or Information, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1027 Obfuscated Files or Information
Canonical reference: https://attack.mitre.org/techniques/T1027/

Microsoft Sentinel / Defender

kusto

let EncodingTools = dynamic(["certutil", "certutil.exe"]);
let EncodingFlags = dynamic(["-decode", "-decodehex", "-encodehex", "-urlcache", "-urlcache -split -f"]);
let SuspiciousEncodingPatterns = dynamic([
  "[Convert]::FromBase64String",
  "[System.Convert]::FromBase64String",
  "[Convert]::ToBase64String",
  "FromBase64String",
  "ToBase64String",
  "-EncodedCommand",
  "-enc ",
  "-e ",
  "-ec ",
  "certutil.*-decode",
  "certutil.*-encodehex"
]);
let ObfuscationIndicators = dynamic([
  "chr(", "chr (",
  "[char]",
  "\\x",
  "0x",
  "HEX:",
  "bxor",
  "-bxor",
  "XOR"
]);
let CompressionTools = dynamic([
  "compress-archive",
  "expand-archive",
  "io.compression",
  "zipfile",
  "7z.exe",
  "7za.exe",
  "rar.exe"
]);
// Branch 1: Certutil used for encoding/decoding (classic LOLBin obfuscation)
let CertutilObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-decode", "-decodehex", "-encodehex", "-urlcache")
| extend ObfuscationMethod = "certutil_encoding"
| extend RiskScore = 3;
// Branch 2: PowerShell Base64 operations outside common admin patterns
let PowerShellBase64 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "[Convert]::FromBase64String",
    "[System.Convert]::FromBase64String",
    "FromBase64String",
    "-EncodedCommand",
    "-enc ",
    "bxor",
    "-bxor"
  )
| extend ObfuscationMethod = "powershell_base64_or_xor"
| extend RiskScore = 2;
// Branch 3: Wscript/Cscript executing scripts with obfuscated content indicators
let ScriptObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
    "chr(",
    "[char]",
    "String.fromCharCode",
    "unescape(",
    "escape(",
    "eval("
  )
| extend ObfuscationMethod = "script_charcode_obfuscation"
| extend RiskScore = 2;
// Branch 4: cmd.exe with excessive ^ or % variable expansion obfuscation
let CmdObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]{1}){4,}"
   or (ProcessCommandLine matches regex @"(%[a-zA-Z_][a-zA-Z0-9_]*:~[0-9,]+%){3,}")
| extend ObfuscationMethod = "cmd_caret_or_var_obfuscation"
| extend RiskScore = 3;
// Union all branches
CertutilObfuscation
| union PowerShellBase64
| union ScriptObfuscation
| union CmdObfuscation
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ObfuscationMethod, RiskScore
| sort by Timestamp desc

Detects obfuscated file or information patterns across multiple execution vectors in Microsoft Defender for Endpoint. Covers certutil.exe used for Base64/hex encoding and decoding (LOLBin abuse), PowerShell Base64 operations and XOR encoding, script interpreters using character-code obfuscation (chr(), String.fromCharCode(), unescape()), and cmd.exe with caret-insertion or environment variable substring obfuscation. Returns an ObfuscationMethod tag and RiskScore to help analysts prioritize. As a parent technique covering many sub-techniques, individual detections for T1027.001–T1027.017 provide deeper coverage for specific obfuscation variants.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows
IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts
Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations
Backup and archiving software may use certutil or 7-zip with password flags that superficially resemble obfuscation patterns
Web developers may use JavaScript unescape() or String.fromCharCode() in test scripts that get executed via cscript.exe during CI/CD

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\certutil.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\cmd.exe")
| eval CommandLineLower=lower(CommandLine)
| eval CertutilDecode=if(match(Image, "certutil\.exe") AND match(CommandLineLower, "(-decode|-decodehex|-encodehex|-urlcache)"), 1, 0)
| eval PowerShellBase64=if(match(Image, "(powershell|pwsh)\.exe") AND match(CommandLineLower, "(frombase64string|tobase64string|-encodedcommand|-enc\s+|-ec\s+|bxor|-bxor)"), 1, 0)
| eval ScriptCharCode=if(match(Image, "(wscript|cscript|mshta)\.exe") AND match(CommandLineLower, "(chr\(|string\.fromcharcode|unescape\(|escape\(|eval\()"), 1, 0)
| eval CmdCaretObfusc=if(match(Image, "cmd\.exe") AND match(CommandLine, "(\^[a-zA-Z0-9]){4,}"), 1, 0)
| eval CmdVarObfusc=if(match(Image, "cmd\.exe") AND match(CommandLine, "(%[a-zA-Z_][a-zA-Z0-9_]*:~[0-9]+,[0-9]+%){3,}"), 1, 0)
| eval ObfuscationScore=CertutilDecode + PowerShellBase64 + ScriptCharCode + CmdCaretObfusc + CmdVarObfusc
| eval ObfuscationMethods=mvappend(
    if(CertutilDecode=1, "certutil_encode_decode", null()),
    if(PowerShellBase64=1, "ps_base64_xor", null()),
    if(ScriptCharCode=1, "script_charcode", null()),
    if(CmdCaretObfusc=1, "cmd_caret", null()),
    if(CmdVarObfusc=1, "cmd_var_substring", null())
  )
| where ObfuscationScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        CertutilDecode, PowerShellBase64, ScriptCharCode, CmdCaretObfusc, CmdVarObfusc,
        ObfuscationMethods, ObfuscationScore
| sort - ObfuscationScore, - _time

Detects obfuscated file and information patterns using Sysmon Event ID 1 (Process Creation) logs across certutil.exe, PowerShell, script interpreters, and cmd.exe. Assigns categorical flags per obfuscation method and aggregates them into an ObfuscationScore to surface the most suspicious entries first. CertutilDecode=1 flags certutil encoding/decoding abuse. PowerShellBase64=1 flags Base64 or XOR obfuscation in PowerShell. ScriptCharCode=1 flags character-code obfuscation in scripting hosts. CmdCaretObfusc and CmdVarObfusc flag cmd.exe shell obfuscation techniques.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software build pipelines and CI/CD agents routinely use certutil and PowerShell Base64 for encoding configuration artifacts
IT management platforms (SCCM, PDQ, Ansible) pass encoded parameters to PowerShell for safe string handling during software deployment
Security analysts running detection engineering or malware triage scripts on designated analysis machines
Developer workstations where JavaScript unescape() or eval() calls appear in test/debug scripts run via cscript.exe
Backup software and archive tools that combine compression with Base64 encoding for transport

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  (
    (
      process.name : "certutil.exe" and
      process.args : ("-decode", "-decodehex", "-encodehex", "-urlcache")
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*FromBase64String*", "*ToBase64String*",
        "*-EncodedCommand*", "*-enc *", "*-ec *",
        "*bxor*", "*-bxor*"
      )
    ) or
    (
      process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
      process.command_line : (
        "*chr(*", "*String.fromCharCode*",
        "*unescape(*", "*escape(*", "*eval(*"
      )
    ) or
    (
      process.name : "cmd.exe" and
      process.command_line : ("*^?^?^?^?*", "*%*:~*,*%*:~*,*%*:~*")
    )
  )
]

/* Alternative non-sequence query for broader coverage */
/* process where event.type == "start" and
  process.name : ("certutil.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe") and
  (
    (process.name : "certutil.exe" and process.command_line : ("-decode", "-decodehex", "-encodehex", "-urlcache")) or
    (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*FromBase64String*", "*-EncodedCommand*", "*-enc *", "*bxor*")) or
    (process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and process.command_line : ("*chr(*", "*String.fromCharCode*", "*eval(*")) or
    (process.name : "cmd.exe" and process.command_line regex~ "(\^[a-zA-Z0-9]){4,}")
  )
*/

Detects T1027 obfuscated files or information via certutil encoding/decoding, PowerShell Base64/XOR operations, script engine charcode obfuscation (wscript/cscript/mshta), and cmd.exe caret/variable-expansion obfuscation. Maps to MITRE ATT&CK T1027.

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with endpoint integration Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Certutil used by IT admins or SCCM/ConfigMgr to decode legitimate certificate files during PKI operations
PowerShell scripts by developers using Base64 encoding for legitimate data serialization or configuration management
Web developers or build systems using escape()/unescape() functions in legacy JS via cscript during build pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "TargetUserName",
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "CommandLine",
  "ParentCommandLine",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR
      LOWER("CommandLine") LIKE '%-decodehex%' OR
      LOWER("CommandLine") LIKE '%-encodehex%' OR
      LOWER("CommandLine") LIKE '%-urlcache%'
    ) THEN 'certutil_encode_decode'
    WHEN (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR
      LOWER("CommandLine") LIKE '%tobase64string%' OR
      LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%-enc %' OR
      LOWER("CommandLine") LIKE '%bxor%'
    ) THEN 'powershell_base64_xor'
    WHEN (LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR
      LOWER("CommandLine") LIKE '%string.fromcharcode%' OR
      LOWER("CommandLine") LIKE '%unescape(%' OR
      LOWER("CommandLine") LIKE '%eval(%'
    ) THEN 'script_charcode_obfuscation'
    WHEN LOWER("Image") LIKE '%cmd.exe' AND (
      "CommandLine" LIKE '%^_^_^_^_%' OR
      "CommandLine" LIKE '%%*:~*,*%*:~*,*%%'
    ) THEN 'cmd_caret_or_var_obfuscation'
    ELSE 'unknown'
  END AS obfuscation_method
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 433)
  AND (
    ("EventID" = '1' OR "EventID" = '4688')
  )
  AND (
    LOWER("Image") LIKE '%certutil.exe' OR
    LOWER("Image") LIKE '%powershell.exe' OR
    LOWER("Image") LIKE '%pwsh.exe' OR
    LOWER("Image") LIKE '%wscript.exe' OR
    LOWER("Image") LIKE '%cscript.exe' OR
    LOWER("Image") LIKE '%mshta.exe' OR
    LOWER("Image") LIKE '%cmd.exe'
  )
  AND (
    (LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-encodehex%' OR LOWER("CommandLine") LIKE '%-urlcache%'
    )) OR
    ((LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%-enc %'
    )) OR
    ((LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR LOWER("CommandLine") LIKE '%fromcharcode%' OR LOWER("CommandLine") LIKE '%eval(%'
    )) OR
    (LOWER("Image") LIKE '%cmd.exe' AND LOWER("CommandLine") LIKE '%^%^%^%^%')
  )
ORDER BY devicetime DESC

Detects T1027 obfuscation techniques via Sysmon EventID 1 (Process Create) or Security EventID 4688 in QRadar. Flags certutil decode/encode operations, PowerShell Base64/XOR, script engine charcode obfuscation, and cmd.exe caret/variable-expansion abuse. Uses AQL CASE expression to categorize the obfuscation method.

high severity medium confidence

Data Sources

QRadar SIEM with Windows Sysmon log source (LOGSOURCETYPEID 433) Windows Security Event log source (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

System administrators using certutil for PKI certificate management or WSUS operations that involve file decode steps
Automated deployment pipelines (Ansible, Chef, Puppet) that pass Base64-encoded configuration blobs via PowerShell
Legacy web automation scripts using cscript with eval() or String.fromCharCode() for encoding compatibility

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("1", "4688")
| where Image matches "*certutil.exe" OR Image matches "*powershell.exe" OR Image matches "*pwsh.exe"
   OR Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe"
   OR Image matches "*cmd.exe"
| eval cmd_lower = toLowerCase(CommandLine)
| eval certutil_flag = if (Image matches "*certutil.exe" AND (
    cmd_lower matches "-decode" OR cmd_lower matches "-decodehex" OR
    cmd_lower matches "-encodehex" OR cmd_lower matches "-urlcache"
  ), 1, 0)
| eval ps_base64_flag = if ((Image matches "*powershell.exe" OR Image matches "*pwsh.exe") AND (
    cmd_lower matches "*frombase64string*" OR cmd_lower matches "*tobase64string*" OR
    cmd_lower matches "*-encodedcommand*" OR cmd_lower matches "*-enc *" OR
    cmd_lower matches "*bxor*" OR cmd_lower matches "*-bxor*"
  ), 1, 0)
| eval script_charcode_flag = if ((Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe") AND (
    cmd_lower matches "*chr(*" OR cmd_lower matches "*string.fromcharcode*" OR
    cmd_lower matches "*unescape(*" OR cmd_lower matches "*eval(*"
  ), 1, 0)
| eval cmd_caret_flag = if (Image matches "*cmd.exe" AND (
    CommandLine matches "*^?^?^?^?*"
  ), 1, 0)
| eval obfuscation_score = certutil_flag + ps_base64_flag + script_charcode_flag + cmd_caret_flag
| where obfuscation_score > 0
| eval obfuscation_methods = concat(
    if(certutil_flag = 1, "certutil_encode_decode,", ""),
    if(ps_base64_flag = 1, "ps_base64_xor,", ""),
    if(script_charcode_flag = 1, "script_charcode,", ""),
    if(cmd_caret_flag = 1, "cmd_caret,", "")
  )
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine,
    certutil_flag, ps_base64_flag, script_charcode_flag, cmd_caret_flag,
    obfuscation_methods, obfuscation_score
| sort by obfuscation_score desc, _messageTime desc

Detects T1027 obfuscated files or information using Sumo Logic CSE. Queries Sysmon EventID 1 or Security EventID 4688 process creation events. Scores and categorizes certutil encode/decode, PowerShell Base64/XOR, script charcode, and cmd caret obfuscation methods. Returns scored results ordered by severity.

high severity medium confidence

Data Sources

Sumo Logic with Windows Sysmon data ingestion Windows Security Event Log via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software packaging scripts that use certutil to decode embedded payloads during legitimate software installation processes
Security tooling and EDR products that use PowerShell with Base64-encoded health check or telemetry scripts
Oracle, SAP, or other enterprise software maintenance scripts that leverage cscript/wscript with eval() for legacy compatibility

Google Chronicle / SecOps

yaral

rule t1027_obfuscated_files_or_information {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1027 Obfuscated Files or Information — certutil encode/decode, PowerShell Base64/XOR, script charcode obfuscation, cmd caret/variable expansion."
    mitre_attack_technique = "T1027"
    mitre_attack_tactic = "Defense Evasion"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    reference = "https://attack.mitre.org/techniques/T1027/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: certutil encode/decode
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(-decode|-decodehex|-encodehex|-urlcache)`)
      ) or

      // Branch 2: PowerShell Base64/XOR
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(FromBase64String|ToBase64String|-EncodedCommand|-enc\s+|-ec\s+|bxor|-bxor)`)
      ) or

      // Branch 3: Script engines with charcode obfuscation
      (
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript|mshta)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(chr\(|String\.fromCharCode|unescape\(|escape\(|eval\()`)
      ) or

      // Branch 4: cmd.exe caret obfuscation
      (
        re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(\^[a-zA-Z0-9]){4,}`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1027 obfuscation techniques across four branches: certutil encode/decode LOLBin abuse, PowerShell Base64/XOR operations, script engine (wscript/cscript/mshta) charcode obfuscation, and cmd.exe caret/variable-expansion obfuscation. Uses UDM process launch events with regex matching on command line arguments.

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon UDM ingestion Chronicle with Endpoint Detection sensor data

Required Tables

UDM process events (metadata.event_type = PROCESS_LAUNCH)

False Positives

PKI administration tasks where certutil.exe legitimately decodes certificate enrollment responses or tests certificate chains
Automated Windows administration via PowerShell DSC or scheduled tasks using -EncodedCommand for multiline scripts passed through Task Scheduler
Legacy batch scripts from enterprise software vendors (e.g., Oracle Forms, SAP) that use cmd caret escaping for special character handling in install scripts

CrowdStrike LogScale (CQL)

cql

// T1027 - Obfuscated Files or Information
// CrowdStrike LogScale (CQL) - Falcon ProcessRollup2 events

#event_simpleName=ProcessRollup2
| FileName = /(?i)(certutil|powershell|pwsh|wscript|cscript|mshta|cmd)\.exe$/

// Certutil encode/decode
| eval certutil_flag = if(
    FileName = /(?i)certutil\.exe$/ AND CommandLine = /(?i)(-decode|-decodehex|-encodehex|-urlcache)/,
    1, 0
  )

// PowerShell Base64/XOR
| eval ps_base64_flag = if(
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND
    CommandLine = /(?i)(FromBase64String|ToBase64String|-EncodedCommand|-enc\s|-ec\s|bxor|-bxor)/,
    1, 0
  )

// Script charcode obfuscation
| eval script_charcode_flag = if(
    FileName = /(?i)(wscript|cscript|mshta)\.exe$/ AND
    CommandLine = /(?i)(chr\(|String\.fromCharCode|unescape\(|escape\(|eval\()/,
    1, 0
  )

// cmd.exe caret obfuscation
| eval cmd_caret_flag = if(
    FileName = /(?i)cmd\.exe$/ AND
    CommandLine = /(\^[a-zA-Z0-9]){4,}/,
    1, 0
  )

| eval obfuscation_score = certutil_flag + ps_base64_flag + script_charcode_flag + cmd_caret_flag
| where obfuscation_score > 0

| eval obfuscation_methods = array:concat(
    if(certutil_flag = 1, ["certutil_encode_decode"], []),
    if(ps_base64_flag = 1, ["ps_base64_xor"], []),
    if(script_charcode_flag = 1, ["script_charcode"], []),
    if(cmd_caret_flag = 1, ["cmd_caret"], [])
  )

| table(
    [@timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine,
     certutil_flag, ps_base64_flag, script_charcode_flag, cmd_caret_flag,
     obfuscation_methods, obfuscation_score],
    sortby=obfuscation_score,
    order=desc,
    limit=1000
  )

CrowdStrike LogScale (Falcon CQL) detection for T1027 obfuscated files or information. Queries ProcessRollup2 events from the Falcon sensor targeting certutil encode/decode, PowerShell Base64/XOR, script engine charcode obfuscation, and cmd.exe caret obfuscation. Produces a scored, categorized result set ordered by severity.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale with Falcon sensor ProcessRollup2 events

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Patch management solutions (SCCM, Intune, Ivanti) invoking certutil to download and decode update packages as part of legitimate software distribution workflows
DevOps CI/CD pipelines using PowerShell with -EncodedCommand to pass complex multiline build scripts through Azure DevOps or Jenkins agents
System hardening or compliance scripts from vendors like CIS-CAT or Tenable that use cmd.exe with variable expansion for dynamic environment detection

Sigma rule & cross-platform mapping

The detection logic for Obfuscated Files or Information (T1027) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1027 Sigma rules on detection.fyi

Platform-specific guides for T1027

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-14 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Certutil Base64 Encode and Decode a Payload
Expected signal: Sysmon Event ID 1: Two Process Create events for certutil.exe — first with CommandLine containing '-encodehex' and output path, second with '-decode' and output path. Sysmon Event ID 11 (File Create): creation of the encoded and decoded output files in %TEMP%. Security Event ID 4688 if command line auditing is enabled. No network events expected for local file operations.
Test 2PowerShell XOR Encoding of a String
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bxor'. PowerShell ScriptBlock Log Event ID 4104 showing the full XOR encoding/decoding script. No file or network events expected.
Test 3Wscript Executing Character-Code Obfuscated VBScript
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing the .vbs file. Sysmon Event ID 11: File Create of the .vbs file in %TEMP%. The script prints 'df00tech' to a WScript dialog — no network or registry events.
Test 4Cmd.exe Caret Insertion Obfuscation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'w^h^o^a^m^i' (six carets). Depending on audit configuration, a second Process Create for whoami.exe may appear as a child process. Security Event ID 4688 for cmd.exe and whoami.exe if command line auditing is enabled.
Test 5Double-Layer PowerShell Base64 Encoding
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', 'FromBase64String', and 'Invoke-Expression'. PowerShell ScriptBlock Log Event ID 4104 showing the full encoding script. No file or network events.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0005Defense Evasion

Sub-techniques (17)

Related Techniques

T1027.001Binary Padding T1027.002Software Packing T1027.004Compile After Delivery T1027.006HTML Smuggling T1027.010Command Obfuscation T1027.013Encrypted/Encoded File T1059.001PowerShell T1059.003Windows Command Shell T1140Deobfuscate/Decode Files or Information T1204.002Malicious File T1105Ingress Tool Transfer

Obfuscated Files or Information

What is T1027 Obfuscated Files or Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1027

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (17)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1027 Obfuscated Files or Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1027

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (17)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox