T1027 IBM QRadar · QRadar

Detect Obfuscated Files or Information in IBM QRadar

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Canonical reference
https://attack.mitre.org/techniques/T1027/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "TargetUserName",
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "CommandLine",
  "ParentCommandLine",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR
      LOWER("CommandLine") LIKE '%-decodehex%' OR
      LOWER("CommandLine") LIKE '%-encodehex%' OR
      LOWER("CommandLine") LIKE '%-urlcache%'
    ) THEN 'certutil_encode_decode'
    WHEN (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR
      LOWER("CommandLine") LIKE '%tobase64string%' OR
      LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%-enc %' OR
      LOWER("CommandLine") LIKE '%bxor%'
    ) THEN 'powershell_base64_xor'
    WHEN (LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR
      LOWER("CommandLine") LIKE '%string.fromcharcode%' OR
      LOWER("CommandLine") LIKE '%unescape(%' OR
      LOWER("CommandLine") LIKE '%eval(%'
    ) THEN 'script_charcode_obfuscation'
    WHEN LOWER("Image") LIKE '%cmd.exe' AND (
      "CommandLine" LIKE '%^_^_^_^_%' OR
      "CommandLine" LIKE '%%*:~*,*%*:~*,*%%'
    ) THEN 'cmd_caret_or_var_obfuscation'
    ELSE 'unknown'
  END AS obfuscation_method
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 433)
  AND (
    ("EventID" = '1' OR "EventID" = '4688')
  )
  AND (
    LOWER("Image") LIKE '%certutil.exe' OR
    LOWER("Image") LIKE '%powershell.exe' OR
    LOWER("Image") LIKE '%pwsh.exe' OR
    LOWER("Image") LIKE '%wscript.exe' OR
    LOWER("Image") LIKE '%cscript.exe' OR
    LOWER("Image") LIKE '%mshta.exe' OR
    LOWER("Image") LIKE '%cmd.exe'
  )
  AND (
    (LOWER("Image") LIKE '%certutil.exe' AND (
      LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-encodehex%' OR LOWER("CommandLine") LIKE '%-urlcache%'
    )) OR
    ((LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe') AND (
      LOWER("CommandLine") LIKE '%frombase64string%' OR LOWER("CommandLine") LIKE '%-encodedcommand%' OR
      LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%-enc %'
    )) OR
    ((LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe') AND (
      LOWER("CommandLine") LIKE '%chr(%' OR LOWER("CommandLine") LIKE '%fromcharcode%' OR LOWER("CommandLine") LIKE '%eval(%'
    )) OR
    (LOWER("Image") LIKE '%cmd.exe' AND LOWER("CommandLine") LIKE '%^%^%^%^%')
  )
ORDER BY devicetime DESC
high severity medium confidence

Detects T1027 obfuscation techniques via Sysmon EventID 1 (Process Create) or Security EventID 4688 in QRadar. Flags certutil decode/encode operations, PowerShell Base64/XOR, script engine charcode obfuscation, and cmd.exe caret/variable-expansion abuse. Uses AQL CASE expression to categorize the obfuscation method.

Data Sources

QRadar SIEM with Windows Sysmon log source (LOGSOURCETYPEID 433)Windows Security Event log source (LOGSOURCETYPEID 12)

Required Tables

events

False Positives & Tuning

  • System administrators using certutil for PKI certificate management or WSUS operations that involve file decode steps
  • Automated deployment pipelines (Ansible, Chef, Puppet) that pass Base64-encoded configuration blobs via PowerShell
  • Legacy web automation scripts using cscript with eval() or String.fromCharCode() for encoding compatibility
Download portable Sigma rule (.yml)

Other platforms for T1027

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Certutil Base64 Encode and Decode a Payload

    Expected signal: Sysmon Event ID 1: Two Process Create events for certutil.exe — first with CommandLine containing '-encodehex' and output path, second with '-decode' and output path. Sysmon Event ID 11 (File Create): creation of the encoded and decoded output files in %TEMP%. Security Event ID 4688 if command line auditing is enabled. No network events expected for local file operations.

  2. Test 2PowerShell XOR Encoding of a String

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bxor'. PowerShell ScriptBlock Log Event ID 4104 showing the full XOR encoding/decoding script. No file or network events expected.

  3. Test 3Wscript Executing Character-Code Obfuscated VBScript

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing the .vbs file. Sysmon Event ID 11: File Create of the .vbs file in %TEMP%. The script prints 'df00tech' to a WScript dialog — no network or registry events.

  4. Test 4Cmd.exe Caret Insertion Obfuscation

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'w^h^o^a^m^i' (six carets). Depending on audit configuration, a second Process Create for whoami.exe may appear as a child process. Security Event ID 4688 for cmd.exe and whoami.exe if command line auditing is enabled.

  5. Test 5Double-Layer PowerShell Base64 Encoding

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', 'FromBase64String', and 'Invoke-Expression'. PowerShell ScriptBlock Log Event ID 4104 showing the full encoding script. No file or network events.

Last updated: 2026-04-14 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1027 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (17)

Related Techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.004Compile After DeliveryT1027.006HTML SmugglingT1027.010Command ObfuscationT1027.013Encrypted/Encoded FileT1059.001PowerShellT1059.003Windows Command ShellT1140Deobfuscate/Decode Files or InformationT1204.002Malicious FileT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections