Detect Deobfuscate/Decode Files or Information in Google Chronicle
Adversaries may use Obfuscated Files or Information to conceal artifacts of an intrusion. They require separate mechanisms to decode or deobfuscate that information before use. Common methods include using certutil.exe to Base64-decode payloads disguised as certificate files, PowerShell's [Convert]::FromBase64String() to decode strings in memory, cmd.exe copy /b or type commands to reassemble binary fragments, and scripting languages (Python, VBScript) to perform XOR or RC4 decryption at runtime. These techniques allow adversaries to bypass static signature detection by staging encoded payloads and decoding them only at execution time.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1140/
YARA-L Detection Query
rule t1140_deobfuscate_decode_files {
meta:
author = "Argus Detection Engineering"
description = "Detects T1140 deobfuscation and decoding activity: certutil decode flags, PowerShell Base64/GZip/Deflate operations, cmd.exe binary copy reassembly, and LOLBin CAB extraction via expand.exe or extrac32.exe."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1140"
mitre_attack_url = "https://attack.mitre.org/techniques/T1140/"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.target.process.command_line = $cmdline
$e.target.process.file.full_path = $image
(
// Branch 1: certutil decode
(
re.regex($image, `(?i)certutil\.exe$`) and
(
re.regex($cmdline, `(?i)-decode`) or
re.regex($cmdline, `(?i)-decodehex`) or
re.regex($cmdline, `(?i)-urlcache`) or
re.regex($cmdline, `(?i)-decodetohex`) or
re.regex($cmdline, `(?i)-f\s+-split`)
)
) or
// Branch 2: PowerShell Base64 / GZip / Deflate
(
re.regex($image, `(?i)(powershell|pwsh)\.exe$`) and
(
strings.contains($cmdline, "FromBase64String") or
strings.contains($cmdline, "[Convert]::") or
strings.contains($cmdline, "[System.Convert]::") or
strings.contains($cmdline, "IO.MemoryStream") or
strings.contains($cmdline, "GZipStream") or
strings.contains($cmdline, "DeflateStream") or
strings.contains($cmdline, "IO.Compression") or
strings.contains($cmdline, "::Decompress")
)
) or
// Branch 3: cmd.exe binary fragment reassembly
(
re.regex($image, `(?i)cmd\.exe$`) and
re.regex($cmdline, `(?i)copy\s+/[bB]`)
) or
// Branch 4: expand.exe / extrac32.exe LOLBin CAB extraction
(
re.regex($image, `(?i)(expand|extrac32)\.exe$`) and
re.regex($cmdline, `(?i)\.(cab|zip|dat|bin|txt|jpg|png|tmp)`)
)
)
match:
$hostname over 5m
outcome:
$risk_score = max(
if(re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|winword|excel|outlook|rundll32|regsvr32|msbuild|installutil|regasm)\.exe`), 2, 0) +
if(re.regex($e.principal.user.userid, `(?i)(system|administrator)`), 1, 0)
)
$decode_method = if(re.regex($image, `(?i)certutil\.exe`), "certutil-decode",
if(re.regex($image, `(?i)(powershell|pwsh)\.exe`) and strings.contains($cmdline, "FromBase64String"), "ps-base64-decode",
if(re.regex($image, `(?i)(powershell|pwsh)\.exe`) and (strings.contains($cmdline, "GZipStream") or strings.contains($cmdline, "DeflateStream")), "ps-decompress",
if(re.regex($image, `(?i)cmd\.exe`), "cmd-binary-reassembly",
if(re.regex($image, `(?i)(expand|extrac32)\.exe`), "lolbin-cab-extract",
"unknown")))))
$parent_image = $e.principal.process.file.full_path
$user = $e.principal.user.userid
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1140 deobfuscation activity across four behavioral branches: certutil with decode flags, PowerShell Base64/GZip/Deflate operations, cmd.exe binary reassembly via copy /b, and LOLBin CAB extraction. Risk scoring is computed in the outcome block based on suspicious parent process lineage and high-privilege execution context. The 5-minute match window correlates repeated decode activity per host.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise PKI management scripts and tools (AD CS, Let's Encrypt ACME clients) that call certutil -decode or -urlcache to process certificate chains and CRL distribution points.
- Security operations tooling (SOAR playbooks, EDR response scripts) that use PowerShell Base64 encoding to pass configuration or evidence collection payloads over APIs.
- Windows software distribution tools (SCCM deployment packages, Chocolatey) that invoke expand.exe to extract bundled CAB or ZIP archives during installation.
Other platforms for T1140
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Certutil Base64 Decode — Payload Disguised as Certificate File
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-decode C:\ProgramData\payload.txt C:\ProgramData\decoded_output.txt'. Sysmon Event ID 11: File Create for decoded_output.txt. Security Event ID 4688 (if process creation auditing with command line enabled): same certutil invocation captured in Windows Security log.
- Test 2PowerShell In-Memory Base64 Decode and Decompress Chain
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'FromBase64String', 'IO.MemoryStream', and 'GZipStream'. PowerShell ScriptBlock Logging (Event ID 4104): full script block captured in Microsoft-Windows-PowerShell/Operational log, showing the decompressed payload content. No file creation events — this is an entirely in-memory operation.
- Test 3cmd.exe Binary Fragment Reassembly with copy /b
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy /b' and the fragment paths. Sysmon Event ID 11: File Create events for frag1.dat, frag2.dat, and reassembled.bin. Security Event ID 4688 with command line auditing will capture the copy /b invocation. The output file reassembled.bin in C:\Users\Public is a staging-directory indicator.
- Test 4Certutil URL Cache Download and Decode (Simulated Offline)
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f http://127.0.0.1:8080' and 'C:\Windows\Temp\payload.b64'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 (connection will be refused). Windows Prefetch: CERTUTIL.EXE-*.pf updated with execution timestamp. The URL cache is also updated in %APPDATA%\Microsoft\Windows\IECompatCache regardless of download success.
- Test 5Linux Base64 Decode of Payload to Staging Directory
Expected signal: Linux auditd EXECVE records for bash/sh executing 'base64 -d' and 'chmod +x'. Syslog entries capturing the command execution. If Sysmon for Linux is deployed: process creation event with CommandLine containing 'base64 -d' and output redirect to /tmp. File creation event for /tmp/.hidden_payload. The chmod +x on a newly created file in /tmp is an additional behavioral indicator captured as a separate process creation event.
References (9)
- https://attack.mitre.org/techniques/T1140/
- https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/
- https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
- https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
- https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml
Unlock Pro Content
Get the full detection package for T1140 including response playbook, investigation guide, and atomic red team tests.