Which SIEM platforms have a T1027 detection rule?

df00tech provides T1027 (Obfuscated Files or Information) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Obfuscated Files or Information (T1027)?

Detecting Obfuscated Files or Information requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1027 detection?

The T1027 detection is rated medium severity with medium confidence.

What are common false positives for T1027?

Common false positives for T1027 include: Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows; IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts; Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations.

T1027 Elastic Security · Elastic

Detect Obfuscated Files or Information in Elastic Security

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1027 Obfuscated Files or Information
Canonical reference: https://attack.mitre.org/techniques/T1027/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  (
    (
      process.name : "certutil.exe" and
      process.args : ("-decode", "-decodehex", "-encodehex", "-urlcache")
    ) or
    (
      process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : (
        "*FromBase64String*", "*ToBase64String*",
        "*-EncodedCommand*", "*-enc *", "*-ec *",
        "*bxor*", "*-bxor*"
      )
    ) or
    (
      process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
      process.command_line : (
        "*chr(*", "*String.fromCharCode*",
        "*unescape(*", "*escape(*", "*eval(*"
      )
    ) or
    (
      process.name : "cmd.exe" and
      process.command_line : ("*^?^?^?^?*", "*%*:~*,*%*:~*,*%*:~*")
    )
  )
]

/* Alternative non-sequence query for broader coverage */
/* process where event.type == "start" and
  process.name : ("certutil.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe") and
  (
    (process.name : "certutil.exe" and process.command_line : ("-decode", "-decodehex", "-encodehex", "-urlcache")) or
    (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*FromBase64String*", "*-EncodedCommand*", "*-enc *", "*bxor*")) or
    (process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and process.command_line : ("*chr(*", "*String.fromCharCode*", "*eval(*")) or
    (process.name : "cmd.exe" and process.command_line regex~ "(\^[a-zA-Z0-9]){4,}")
  )
*/

high severity high confidence

Detects T1027 obfuscated files or information via certutil encoding/decoding, PowerShell Base64/XOR operations, script engine charcode obfuscation (wscript/cscript/mshta), and cmd.exe caret/variable-expansion obfuscation. Maps to MITRE ATT&CK T1027.

Data Sources

Elastic Endpoint SecurityElastic Agent with endpoint integrationSysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

Certutil used by IT admins or SCCM/ConfigMgr to decode legitimate certificate files during PKI operations
PowerShell scripts by developers using Base64 encoding for legitimate data serialization or configuration management
Web developers or build systems using escape()/unescape() functions in legacy JS via cscript during build pipelines

Download portable Sigma rule (.yml)

Other platforms for T1027

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Certutil Base64 Encode and Decode a Payload
Expected signal: Sysmon Event ID 1: Two Process Create events for certutil.exe — first with CommandLine containing '-encodehex' and output path, second with '-decode' and output path. Sysmon Event ID 11 (File Create): creation of the encoded and decoded output files in %TEMP%. Security Event ID 4688 if command line auditing is enabled. No network events expected for local file operations.
Test 2PowerShell XOR Encoding of a String
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bxor'. PowerShell ScriptBlock Log Event ID 4104 showing the full XOR encoding/decoding script. No file or network events expected.
Test 3Wscript Executing Character-Code Obfuscated VBScript
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing the .vbs file. Sysmon Event ID 11: File Create of the .vbs file in %TEMP%. The script prints 'df00tech' to a WScript dialog — no network or registry events.
Test 4Cmd.exe Caret Insertion Obfuscation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'w^h^o^a^m^i' (six carets). Depending on audit configuration, a second Process Create for whoami.exe may appear as a child process. Security Event ID 4688 for cmd.exe and whoami.exe if command line auditing is enabled.
Test 5Double-Layer PowerShell Base64 Encoding
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', 'FromBase64String', and 'Invoke-Expression'. PowerShell ScriptBlock Log Event ID 4104 showing the full encoding script. No file or network events.

Last updated: 2026-04-14 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Sub-techniques (17)

Related Techniques

T1027.001Binary Padding T1027.002Software Packing T1027.004Compile After Delivery T1027.006HTML Smuggling T1027.010Command Obfuscation T1027.013Encrypted/Encoded File T1059.001PowerShell T1059.003Windows Command Shell T1140Deobfuscate/Decode Files or Information T1204.002Malicious File T1105Ingress Tool Transfer

Detect Obfuscated Files or Information in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (17)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (17)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox