T1140

Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to conceal artifacts of an intrusion. They require separate mechanisms to decode or deobfuscate that information before use. Common methods include using certutil.exe to Base64-decode payloads disguised as certificate files, PowerShell's [Convert]::FromBase64String() to decode strings in memory, cmd.exe copy /b or type commands to reassemble binary fragments, and scripting languages (Python, VBScript) to perform XOR or RC4 decryption at runtime. These techniques allow adversaries to bypass static signature detection by staging encoded payloads and decoding them only at execution time.

Microsoft Sentinel / Defender

kusto

let CertutilDecodePatterns = dynamic([
  "-decode", "-decodehex", "-urlcache", "-f -split", "-decodetohex"
]);
let PowerShellDecodePatterns = dynamic([
  "FromBase64String", "[Convert]::", "[System.Convert]::",
  "IO.MemoryStream", "GZipStream", "DeflateStream",
  "System.IO.Compression", "::Decompress"
]);
let CmdReassemblyPatterns = dynamic([
  "copy /b", "type ", "copy /B"
]);
let OtherDecodeTools = dynamic([
  "expand.exe", "extrac32.exe", "certutil"
]);
// Branch 1: certutil decode activity
let CertutilEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any (CertutilDecodePatterns)
| extend DecodeMethod = "certutil"
| extend Indicator = extract(@"(-decode|-decodehex|-urlcache|-split)", 0, tolower(ProcessCommandLine))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, DecodeMethod, Indicator;
// Branch 2: PowerShell in-memory decode/decompress
let PSDecodeEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PowerShellDecodePatterns)
| extend DecodeMethod = "powershell-base64"
| extend Indicator = case(
    ProcessCommandLine has "FromBase64String", "FromBase64String",
    ProcessCommandLine has "GZipStream", "GZip-Decompress",
    ProcessCommandLine has "DeflateStream", "Deflate-Decompress",
    "base64-decode"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, DecodeMethod, Indicator;
// Branch 3: cmd.exe binary fragment reassembly
let CmdReassemblyEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has "copy /b" or ProcessCommandLine has "copy /B"
| where ProcessCommandLine matches regex @"copy\s+/[bB].*\.(bin|dat|txt|jpg|png|pdf|tmp|log)"
| extend DecodeMethod = "cmd-copy-reassembly"
| extend Indicator = "binary-fragment-reassembly"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, DecodeMethod, Indicator;
// Branch 4: expand.exe / extrac32 abuse for CAB extraction of hidden payloads
let ExpandEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("expand.exe", "extrac32.exe")
| where ProcessCommandLine matches regex @"\.(cab|zip|dat|bin|txt|jpg|png|tmp)"
| extend DecodeMethod = FileName
| extend Indicator = "lolbin-cab-extract"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, DecodeMethod, Indicator;
// Union all branches and enrich
CertutilEvents
| union PSDecodeEvents, CmdReassemblyEvents, ExpandEvents
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe",
    "excel.exe", "outlook.exe", "rundll32.exe", "regsvr32.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe"
  )
| extend HighPrivilege = AccountName in~ ("SYSTEM", "Administrator") or
    InitiatingProcessAccountName in~ ("SYSTEM", "Administrator")
| extend RiskScore = case(
    SuspiciousParent and HighPrivilege, 3,
    SuspiciousParent or HighPrivilege, 2,
    1
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DecodeMethod, Indicator, SuspiciousParent, HighPrivilege, RiskScore
| sort by RiskScore desc, Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software installation scripts using certutil to download and decode legitimate certificate files during provisioning workflows
IT automation tools (SCCM, Ansible, Chef) using PowerShell Base64 encoding to safely pass configuration parameters that contain special characters
Security scanning or vulnerability assessment tools that use certutil for certificate chain validation and CRL download
Legitimate software updaters that use expand.exe or extrac32.exe to unpack update packages delivered as CAB files
Developers testing encoding/decoding routines on workstations — typically identifiable by IDE parent processes and developer machine naming conventions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\certutil.exe" AND (CommandLine="*-decode*" OR CommandLine="*-decodehex*" OR CommandLine="*-urlcache*"))
  OR (Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND
     (CommandLine="*FromBase64String*" OR CommandLine="*GZipStream*" OR CommandLine="*DeflateStream*" OR CommandLine="*IO.MemoryStream*" OR CommandLine="*IO.Compression*")
  OR (Image="*\\cmd.exe" AND CommandLine="*copy /b*")
  OR (Image="*\\expand.exe" OR Image="*\\extrac32.exe")
)
| eval DecodeMethod=case(
    match(Image, "certutil\.exe") AND match(lower(CommandLine), "(-decode|-decodehex|-urlcache)"), "certutil-decode",
    match(Image, "powershell\.exe|pwsh\.exe") AND match(CommandLine, "FromBase64String"), "ps-base64-decode",
    match(Image, "powershell\.exe|pwsh\.exe") AND match(CommandLine, "GZipStream|DeflateStream"), "ps-decompress",
    match(Image, "cmd\.exe") AND match(lower(CommandLine), "copy /b"), "cmd-binary-reassembly",
    match(Image, "expand\.exe|extrac32\.exe"), "lolbin-cab-extract",
    "unknown"
  )
| eval SuspiciousParent=if(
    match(ParentImage, "wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe"),
    1, 0
  )
| eval HighPrivilege=if(match(User, "(?i)(system|administrator|SYSTEM)"), 1, 0)
| eval WritesToSuspiciousPath=if(
    match(lower(CommandLine), "(temp|tmp|appdata|public|programdata|recycle)"),
    1, 0
  )
| eval RiskScore=SuspiciousParent*2 + HighPrivilege + WritesToSuspiciousPath
| where DecodeMethod != "unknown"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DecodeMethod, SuspiciousParent, HighPrivilege, WritesToSuspiciousPath, RiskScore
| sort - RiskScore, - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installation scripts using certutil to download and decode legitimate certificate files during provisioning workflows
IT automation tools (SCCM, Ansible, Chef) using PowerShell Base64 encoding to safely pass configuration parameters that contain special characters
Security scanning or vulnerability assessment tools that use certutil for certificate chain validation and CRL download
Legitimate software updaters that use expand.exe or extrac32.exe to unpack update packages delivered as CAB files
Developers testing encoding/decoding routines on workstations — typically identifiable by IDE parent processes and developer machine naming conventions

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
    (
      (process.name : "certutil.exe" and process.args : ("-decode", "-decodehex", "-urlcache", "-decodetohex", "-f")) or
      (process.name : ("powershell.exe", "pwsh.exe") and
        process.command_line : ("*FromBase64String*", "*[Convert]::*", "*[System.Convert]::*", "*IO.MemoryStream*", "*GZipStream*", "*DeflateStream*", "*IO.Compression*", "*::Decompress*")) or
      (process.name : "cmd.exe" and process.command_line : ("*copy /b*", "*copy /B*")) or
      (process.name : ("expand.exe", "extrac32.exe") and
        process.command_line : ("*.cab*", "*.zip*", "*.dat*", "*.bin*", "*.txt*", "*.jpg*", "*.png*", "*.tmp*"))
    )
  ] by process.pid

any where
  (
    (process.name : "certutil.exe" and process.args : ("-decode", "-decodehex", "-urlcache", "-decodetohex", "-f")) or
    (process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : ("*FromBase64String*", "*[Convert]::*", "*[System.Convert]::*", "*IO.MemoryStream*", "*GZipStream*", "*DeflateStream*", "*IO.Compression*", "*::Decompress*")) or
    (process.name : "cmd.exe" and process.command_line : ("*copy /b*", "*copy /B*")) or
    (process.name : ("expand.exe", "extrac32.exe"))
  ) and
  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe", "regasm.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Security Events Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

IT administrators using certutil.exe to decode legitimate certificate files during PKI operations or troubleshooting.
Developers and build systems running PowerShell scripts that use Base64-encoded configuration blobs or compressed payloads embedded in CI/CD pipelines.
Software installers and package managers (Chocolatey, Scoop) that use expand.exe or extrac32.exe to extract bundled CAB archives during installation.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  "HOSTNAME"(sourceip) AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessImage,
  "Command" AS CommandLine,
  "Parent Process" AS ParentImage,
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decodetohex%')
      THEN 'certutil-decode'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%')
      THEN 'powershell-base64-decompress'
    WHEN LOWER("Process Name") LIKE '%cmd.exe%'
      AND (LOWER("Command") LIKE '%copy /b%' OR LOWER("Command") LIKE '%copy /b %')
      THEN 'cmd-binary-reassembly'
    WHEN (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
      THEN 'lolbin-cab-extract'
    ELSE 'unknown'
  END AS DecodeMethod,
  CASE
    WHEN LOWER("Parent Process") LIKE '%wscript.exe%'
      OR LOWER("Parent Process") LIKE '%cscript.exe%'
      OR LOWER("Parent Process") LIKE '%mshta.exe%'
      OR LOWER("Parent Process") LIKE '%winword.exe%'
      OR LOWER("Parent Process") LIKE '%excel.exe%'
      OR LOWER("Parent Process") LIKE '%outlook.exe%'
      OR LOWER("Parent Process") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process") LIKE '%msbuild.exe%'
      OR LOWER("Parent Process") LIKE '%installutil.exe%'
      OR LOWER("Parent Process") LIKE '%regasm.exe%'
      THEN 1
    ELSE 0
  END AS SuspiciousParent,
  CASE
    WHEN UPPER(username) LIKE '%SYSTEM%' OR UPPER(username) LIKE '%ADMINISTRATOR%'
      THEN 1
    ELSE 0
  END AS HighPrivilege
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    (LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%'))
    OR
    ((LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%'))
    OR
    (LOWER("Process Name") LIKE '%cmd.exe%' AND LOWER("Command") LIKE '%copy /b%')
    OR
    (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
  )
  AND CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decodetohex%')
      THEN 'certutil-decode'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%')
      THEN 'powershell-base64-decompress'
    WHEN LOWER("Process Name") LIKE '%cmd.exe%'
      AND (LOWER("Command") LIKE '%copy /b%' OR LOWER("Command") LIKE '%copy /b %')
      THEN 'cmd-binary-reassembly'
    WHEN (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
      THEN 'lolbin-cab-extract'
    ELSE 'unknown'
  END <> 'unknown'
ORDER BY SuspiciousParent DESC, HighPrivilege DESC, starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM

Required Tables

events

False Positives

Automated certificate management tools (ACME clients, AD CS scripts) that invoke certutil -decode or -urlcache to process legitimate DER/PEM certificate conversions.
Enterprise software deployment systems (SCCM, Intune) running PowerShell with Base64-encoded configuration payloads for device provisioning.
Windows Update and application installers that use expand.exe or extrac32.exe to unpack compressed CAB bundles during patching workflows.

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*
| where EventID = "1" OR EventID = "4688"
| json auto
| parse field=CommandLine "*" as RawCommand nodrop
| where (
    (toLower(Image) matches "*\\certutil.exe"
      AND (toLower(CommandLine) matches "*-decode*" OR toLower(CommandLine) matches "*-decodehex*" OR toLower(CommandLine) matches "*-urlcache*" OR toLower(CommandLine) matches "*-decodetohex*"))
  OR
    ((toLower(Image) matches "*\\powershell.exe" OR toLower(Image) matches "*\\pwsh.exe")
      AND (CommandLine matches "*FromBase64String*" OR CommandLine matches "*GZipStream*" OR CommandLine matches "*DeflateStream*" OR CommandLine matches "*IO.MemoryStream*" OR CommandLine matches "*IO.Compression*" OR CommandLine matches "*::Decompress*"))
  OR
    (toLower(Image) matches "*\\cmd.exe"
      AND (toLower(CommandLine) matches "*copy /b*" OR toLower(CommandLine) matches "*copy /b *"))
  OR
    (toLower(Image) matches "*\\expand.exe" OR toLower(Image) matches "*\\extrac32.exe")
  )
| eval DecodeMethod = if(toLower(Image) matches "*certutil.exe*" AND (toLower(CommandLine) matches "*-decode*" OR toLower(CommandLine) matches "*-decodehex*" OR toLower(CommandLine) matches "*-urlcache*"), "certutil-decode",
    if((toLower(Image) matches "*powershell.exe*" OR toLower(Image) matches "*pwsh.exe*") AND CommandLine matches "*FromBase64String*", "ps-base64-decode",
    if((toLower(Image) matches "*powershell.exe*" OR toLower(Image) matches "*pwsh.exe*") AND (CommandLine matches "*GZipStream*" OR CommandLine matches "*DeflateStream*" OR CommandLine matches "*::Decompress*"), "ps-decompress",
    if(toLower(Image) matches "*cmd.exe*" AND toLower(CommandLine) matches "*copy /b*", "cmd-binary-reassembly",
    if(toLower(Image) matches "*expand.exe*" OR toLower(Image) matches "*extrac32.exe*", "lolbin-cab-extract",
    "unknown")))))
| eval SuspiciousParent = if(toLower(ParentImage) matches "*wscript.exe*" OR toLower(ParentImage) matches "*cscript.exe*" OR toLower(ParentImage) matches "*mshta.exe*" OR toLower(ParentImage) matches "*winword.exe*" OR toLower(ParentImage) matches "*excel.exe*" OR toLower(ParentImage) matches "*outlook.exe*" OR toLower(ParentImage) matches "*rundll32.exe*" OR toLower(ParentImage) matches "*regsvr32.exe*" OR toLower(ParentImage) matches "*msbuild.exe*" OR toLower(ParentImage) matches "*installutil.exe*" OR toLower(ParentImage) matches "*regasm.exe*", 1, 0)
| eval HighPrivilege = if(toUpperCase(User) matches "*SYSTEM*" OR toUpperCase(User) matches "*ADMINISTRATOR*", 1, 0)
| eval WritesToSuspiciousPath = if(toLower(CommandLine) matches "*(temp|tmp|appdata|public|programdata|recycle)*", 1, 0)
| eval RiskScore = SuspiciousParent * 2 + HighPrivilege + WritesToSuspiciousPath
| where DecodeMethod != "unknown"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DecodeMethod, SuspiciousParent, HighPrivilege, WritesToSuspiciousPath, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sysmon (Event ID 1) Windows Security (Event ID 4688) Windows Event Log

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Security tools and EDR agents that decode telemetry or configuration blobs using PowerShell Base64 operations as part of their normal operation.
DevOps pipelines executing PowerShell scripts with compressed or Base64-encoded payloads for configuration management (Ansible, Chef, Puppet Windows agents).
Helpdesk and IT automation scripts using certutil for routine certificate export, import, or CRL retrieval that include -urlcache flags.

Google Chronicle / SecOps

yaral

rule t1140_deobfuscate_decode_files {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1140 deobfuscation and decoding activity: certutil decode flags, PowerShell Base64/GZip/Deflate operations, cmd.exe binary copy reassembly, and LOLBin CAB extraction via expand.exe or extrac32.exe."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1140"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1140/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $image

    (
      // Branch 1: certutil decode
      (
        re.regex($image, `(?i)certutil\.exe$`) and
        (
          re.regex($cmdline, `(?i)-decode`) or
          re.regex($cmdline, `(?i)-decodehex`) or
          re.regex($cmdline, `(?i)-urlcache`) or
          re.regex($cmdline, `(?i)-decodetohex`) or
          re.regex($cmdline, `(?i)-f\s+-split`)
        )
      ) or
      // Branch 2: PowerShell Base64 / GZip / Deflate
      (
        re.regex($image, `(?i)(powershell|pwsh)\.exe$`) and
        (
          strings.contains($cmdline, "FromBase64String") or
          strings.contains($cmdline, "[Convert]::") or
          strings.contains($cmdline, "[System.Convert]::") or
          strings.contains($cmdline, "IO.MemoryStream") or
          strings.contains($cmdline, "GZipStream") or
          strings.contains($cmdline, "DeflateStream") or
          strings.contains($cmdline, "IO.Compression") or
          strings.contains($cmdline, "::Decompress")
        )
      ) or
      // Branch 3: cmd.exe binary fragment reassembly
      (
        re.regex($image, `(?i)cmd\.exe$`) and
        re.regex($cmdline, `(?i)copy\s+/[bB]`)
      ) or
      // Branch 4: expand.exe / extrac32.exe LOLBin CAB extraction
      (
        re.regex($image, `(?i)(expand|extrac32)\.exe$`) and
        re.regex($cmdline, `(?i)\.(cab|zip|dat|bin|txt|jpg|png|tmp)`)
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|winword|excel|outlook|rundll32|regsvr32|msbuild|installutil|regasm)\.exe`), 2, 0) +
      if(re.regex($e.principal.user.userid, `(?i)(system|administrator)`), 1, 0)
    )
    $decode_method = if(re.regex($image, `(?i)certutil\.exe`), "certutil-decode",
      if(re.regex($image, `(?i)(powershell|pwsh)\.exe`) and strings.contains($cmdline, "FromBase64String"), "ps-base64-decode",
      if(re.regex($image, `(?i)(powershell|pwsh)\.exe`) and (strings.contains($cmdline, "GZipStream") or strings.contains($cmdline, "DeflateStream")), "ps-decompress",
      if(re.regex($image, `(?i)cmd\.exe`), "cmd-binary-reassembly",
      if(re.regex($image, `(?i)(expand|extrac32)\.exe`), "lolbin-cab-extract",
      "unknown")))))
    $parent_image = $e.principal.process.file.full_path
    $user = $e.principal.user.userid

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Log via Chronicle forwarder Sysmon via Chronicle

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise PKI management scripts and tools (AD CS, Let's Encrypt ACME clients) that call certutil -decode or -urlcache to process certificate chains and CRL distribution points.
Security operations tooling (SOAR playbooks, EDR response scripts) that use PowerShell Base64 encoding to pass configuration or evidence collection payloads over APIs.
Windows software distribution tools (SCCM deployment packages, Chocolatey) that invoke expand.exe to extract bundled CAB or ZIP archives during installation.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(certutil|powershell|pwsh|cmd|expand|extrac32)\.exe$/
| CommandLine = /.+/
// Classify decode method
| DecodeMethod := case {
    ImageFileName = /(?i)certutil\.exe/ AND CommandLine = /(?i)(-decode|-decodehex|-urlcache|-decodetohex|-f\s+-split)/ : "certutil-decode" ;
    ImageFileName = /(?i)(powershell|pwsh)\.exe/ AND CommandLine = /FromBase64String|\[Convert\]::|\[System\.Convert\]::|IO\.MemoryStream/ : "ps-base64-decode" ;
    ImageFileName = /(?i)(powershell|pwsh)\.exe/ AND CommandLine = /GZipStream|DeflateStream|IO\.Compression|::Decompress/ : "ps-decompress" ;
    ImageFileName = /(?i)cmd\.exe/ AND CommandLine = /(?i)copy\s+\/[bB]/ : "cmd-binary-reassembly" ;
    ImageFileName = /(?i)(expand|extrac32)\.exe/ AND CommandLine = /(?i)\.(cab|zip|dat|bin|txt|jpg|png|tmp)/ : "lolbin-cab-extract" ;
    * : "unknown"
  }
| DecodeMethod != "unknown"
// Flag suspicious parent processes
| SuspiciousParent := if(
    ParentBaseFileName = /(?i)(wscript|cscript|mshta|winword|excel|outlook|rundll32|regsvr32|msbuild|installutil|regasm)\.exe/,
    1, 0
  )
// Flag high privilege execution
| HighPrivilege := if(
    UserName = /(?i)(system|administrator)/,
    1, 0
  )
// Flag writes to suspicious staging paths
| SuspiciousPath := if(
    CommandLine = /(?i)(temp|tmp|appdata|public|programdata|recycle)/,
    1, 0
  )
// Compute composite risk score
| RiskScore := SuspiciousParent * 2 + HighPrivilege + SuspiciousPath
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DecodeMethod, SuspiciousParent, HighPrivilege, SuspiciousPath, RiskScore],
    function=max(RiskScore, as=MaxRisk)
  )
| sort(MaxRisk, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events

Required Tables

ProcessRollup2

False Positives

Falcon sensor exclusions or IT automation accounts running certutil in scheduled tasks for routine certificate lifecycle operations (renewal, CRL updates, OCSP stapling).
PowerShell Desired State Configuration (DSC) and endpoint management agents that encode configuration MOF documents or remediation scripts as Base64 to transport them securely.
Third-party application installers bundled by software vendors that use expand.exe or extrac32.exe to self-extract CAB-formatted payload archives as part of their setup routines.

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1140 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Deobfuscate/Decode Files or Information

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections