Detect Obfuscated Files or Information in Microsoft Sentinel
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Canonical reference
- https://attack.mitre.org/techniques/T1027/
KQL Detection Query
let EncodingTools = dynamic(["certutil", "certutil.exe"]);
let EncodingFlags = dynamic(["-decode", "-decodehex", "-encodehex", "-urlcache", "-urlcache -split -f"]);
let SuspiciousEncodingPatterns = dynamic([
"[Convert]::FromBase64String",
"[System.Convert]::FromBase64String",
"[Convert]::ToBase64String",
"FromBase64String",
"ToBase64String",
"-EncodedCommand",
"-enc ",
"-e ",
"-ec ",
"certutil.*-decode",
"certutil.*-encodehex"
]);
let ObfuscationIndicators = dynamic([
"chr(", "chr (",
"[char]",
"\\x",
"0x",
"HEX:",
"bxor",
"-bxor",
"XOR"
]);
let CompressionTools = dynamic([
"compress-archive",
"expand-archive",
"io.compression",
"zipfile",
"7z.exe",
"7za.exe",
"rar.exe"
]);
// Branch 1: Certutil used for encoding/decoding (classic LOLBin obfuscation)
let CertutilObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-decode", "-decodehex", "-encodehex", "-urlcache")
| extend ObfuscationMethod = "certutil_encoding"
| extend RiskScore = 3;
// Branch 2: PowerShell Base64 operations outside common admin patterns
let PowerShellBase64 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"[Convert]::FromBase64String",
"[System.Convert]::FromBase64String",
"FromBase64String",
"-EncodedCommand",
"-enc ",
"bxor",
"-bxor"
)
| extend ObfuscationMethod = "powershell_base64_or_xor"
| extend RiskScore = 2;
// Branch 3: Wscript/Cscript executing scripts with obfuscated content indicators
let ScriptObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
"chr(",
"[char]",
"String.fromCharCode",
"unescape(",
"escape(",
"eval("
)
| extend ObfuscationMethod = "script_charcode_obfuscation"
| extend RiskScore = 2;
// Branch 4: cmd.exe with excessive ^ or % variable expansion obfuscation
let CmdObfuscation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]{1}){4,}"
or (ProcessCommandLine matches regex @"(%[a-zA-Z_][a-zA-Z0-9_]*:~[0-9,]+%){3,}")
| extend ObfuscationMethod = "cmd_caret_or_var_obfuscation"
| extend RiskScore = 3;
// Union all branches
CertutilObfuscation
| union PowerShellBase64
| union ScriptObfuscation
| union CmdObfuscation
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ObfuscationMethod, RiskScore
| sort by Timestamp descDetects obfuscated file or information patterns across multiple execution vectors in Microsoft Defender for Endpoint. Covers certutil.exe used for Base64/hex encoding and decoding (LOLBin abuse), PowerShell Base64 operations and XOR encoding, script interpreters using character-code obfuscation (chr(), String.fromCharCode(), unescape()), and cmd.exe with caret-insertion or environment variable substring obfuscation. Returns an ObfuscationMethod tag and RiskScore to help analysts prioritize. As a parent technique covering many sub-techniques, individual detections for T1027.001–T1027.017 provide deeper coverage for specific obfuscation variants.
Data Sources
Required Tables
False Positives & Tuning
- Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows
- IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts
- Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations
- Backup and archiving software may use certutil or 7-zip with password flags that superficially resemble obfuscation patterns
- Web developers may use JavaScript unescape() or String.fromCharCode() in test scripts that get executed via cscript.exe during CI/CD
Other platforms for T1027
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Certutil Base64 Encode and Decode a Payload
Expected signal: Sysmon Event ID 1: Two Process Create events for certutil.exe — first with CommandLine containing '-encodehex' and output path, second with '-decode' and output path. Sysmon Event ID 11 (File Create): creation of the encoded and decoded output files in %TEMP%. Security Event ID 4688 if command line auditing is enabled. No network events expected for local file operations.
- Test 2PowerShell XOR Encoding of a String
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bxor'. PowerShell ScriptBlock Log Event ID 4104 showing the full XOR encoding/decoding script. No file or network events expected.
- Test 3Wscript Executing Character-Code Obfuscated VBScript
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing the .vbs file. Sysmon Event ID 11: File Create of the .vbs file in %TEMP%. The script prints 'df00tech' to a WScript dialog — no network or registry events.
- Test 4Cmd.exe Caret Insertion Obfuscation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'w^h^o^a^m^i' (six carets). Depending on audit configuration, a second Process Create for whoami.exe may appear as a child process. Security Event ID 4688 for cmd.exe and whoami.exe if command line auditing is enabled.
- Test 5Double-Layer PowerShell Base64 Encoding
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', 'FromBase64String', and 'Invoke-Expression'. PowerShell ScriptBlock Log Event ID 4104 showing the full encoding script. No file or network events.
References (10)
- https://attack.mitre.org/techniques/T1027/
- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-to-turian/
- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://github.com/danielbohannon/Revoke-Obfuscation
- https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf
- https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
- https://www.secureworks.com/research/darktortilla-malware-analysis
Unlock Pro Content
Get the full detection package for T1027 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (17)
- T1027.001Binary Padding
- T1027.002Software Packing
- T1027.003Steganography
- T1027.004Compile After Delivery
- T1027.005Indicator Removal from Tools
- T1027.006HTML Smuggling
- T1027.007Dynamic API Resolution
- T1027.008Stripped Payloads
- T1027.009Embedded Payloads
- T1027.010Command Obfuscation
- T1027.011Fileless Storage
- T1027.012LNK Icon Smuggling
- T1027.013Encrypted/Encoded File
- T1027.014Polymorphic Code
- T1027.015Compression
- T1027.016Junk Code Insertion
- T1027.017SVG Smuggling