T1140 IBM QRadar · QRadar

Detect Deobfuscate/Decode Files or Information in IBM QRadar

Adversaries may use Obfuscated Files or Information to conceal artifacts of an intrusion. They require separate mechanisms to decode or deobfuscate that information before use. Common methods include using certutil.exe to Base64-decode payloads disguised as certificate files, PowerShell's [Convert]::FromBase64String() to decode strings in memory, cmd.exe copy /b or type commands to reassemble binary fragments, and scripting languages (Python, VBScript) to perform XOR or RC4 decryption at runtime. These techniques allow adversaries to bypass static signature detection by staging encoded payloads and decoding them only at execution time.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1140 Deobfuscate/Decode Files or Information
Canonical reference
https://attack.mitre.org/techniques/T1140/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  "HOSTNAME"(sourceip) AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessImage,
  "Command" AS CommandLine,
  "Parent Process" AS ParentImage,
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decodetohex%')
      THEN 'certutil-decode'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%')
      THEN 'powershell-base64-decompress'
    WHEN LOWER("Process Name") LIKE '%cmd.exe%'
      AND (LOWER("Command") LIKE '%copy /b%' OR LOWER("Command") LIKE '%copy /b %')
      THEN 'cmd-binary-reassembly'
    WHEN (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
      THEN 'lolbin-cab-extract'
    ELSE 'unknown'
  END AS DecodeMethod,
  CASE
    WHEN LOWER("Parent Process") LIKE '%wscript.exe%'
      OR LOWER("Parent Process") LIKE '%cscript.exe%'
      OR LOWER("Parent Process") LIKE '%mshta.exe%'
      OR LOWER("Parent Process") LIKE '%winword.exe%'
      OR LOWER("Parent Process") LIKE '%excel.exe%'
      OR LOWER("Parent Process") LIKE '%outlook.exe%'
      OR LOWER("Parent Process") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process") LIKE '%msbuild.exe%'
      OR LOWER("Parent Process") LIKE '%installutil.exe%'
      OR LOWER("Parent Process") LIKE '%regasm.exe%'
      THEN 1
    ELSE 0
  END AS SuspiciousParent,
  CASE
    WHEN UPPER(username) LIKE '%SYSTEM%' OR UPPER(username) LIKE '%ADMINISTRATOR%'
      THEN 1
    ELSE 0
  END AS HighPrivilege
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    (LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%'))
    OR
    ((LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%'))
    OR
    (LOWER("Process Name") LIKE '%cmd.exe%' AND LOWER("Command") LIKE '%copy /b%')
    OR
    (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
  )
  AND CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-decodehex%' OR LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decodetohex%')
      THEN 'certutil-decode'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND ("Command" LIKE '%FromBase64String%' OR "Command" LIKE '%GZipStream%' OR "Command" LIKE '%DeflateStream%' OR "Command" LIKE '%IO.MemoryStream%' OR "Command" LIKE '%IO.Compression%')
      THEN 'powershell-base64-decompress'
    WHEN LOWER("Process Name") LIKE '%cmd.exe%'
      AND (LOWER("Command") LIKE '%copy /b%' OR LOWER("Command") LIKE '%copy /b %')
      THEN 'cmd-binary-reassembly'
    WHEN (LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%')
      THEN 'lolbin-cab-extract'
    ELSE 'unknown'
  END <> 'unknown'
ORDER BY SuspiciousParent DESC, HighPrivilege DESC, starttime DESC
high severity medium confidence

QRadar AQL query detecting T1140 deobfuscation activity across four sub-techniques: certutil decode flags, PowerShell Base64/GZip/Deflate operations, cmd.exe binary copy reassembly, and LOLBin CAB extraction. Events are tagged with a DecodeMethod label and risk-weighted by SuspiciousParent and HighPrivilege indicators, mirroring the KQL/SPL risk scoring logic.

Data Sources

Microsoft Windows Security Event LogSysmon via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Automated certificate management tools (ACME clients, AD CS scripts) that invoke certutil -decode or -urlcache to process legitimate DER/PEM certificate conversions.
  • Enterprise software deployment systems (SCCM, Intune) running PowerShell with Base64-encoded configuration payloads for device provisioning.
  • Windows Update and application installers that use expand.exe or extrac32.exe to unpack compressed CAB bundles during patching workflows.
Download portable Sigma rule (.yml)

Other platforms for T1140

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Certutil Base64 Decode — Payload Disguised as Certificate File

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-decode C:\ProgramData\payload.txt C:\ProgramData\decoded_output.txt'. Sysmon Event ID 11: File Create for decoded_output.txt. Security Event ID 4688 (if process creation auditing with command line enabled): same certutil invocation captured in Windows Security log.

  2. Test 2PowerShell In-Memory Base64 Decode and Decompress Chain

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'FromBase64String', 'IO.MemoryStream', and 'GZipStream'. PowerShell ScriptBlock Logging (Event ID 4104): full script block captured in Microsoft-Windows-PowerShell/Operational log, showing the decompressed payload content. No file creation events — this is an entirely in-memory operation.

  3. Test 3cmd.exe Binary Fragment Reassembly with copy /b

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy /b' and the fragment paths. Sysmon Event ID 11: File Create events for frag1.dat, frag2.dat, and reassembled.bin. Security Event ID 4688 with command line auditing will capture the copy /b invocation. The output file reassembled.bin in C:\Users\Public is a staging-directory indicator.

  4. Test 4Certutil URL Cache Download and Decode (Simulated Offline)

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f http://127.0.0.1:8080' and 'C:\Windows\Temp\payload.b64'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 (connection will be refused). Windows Prefetch: CERTUTIL.EXE-*.pf updated with execution timestamp. The URL cache is also updated in %APPDATA%\Microsoft\Windows\IECompatCache regardless of download success.

  5. Test 5Linux Base64 Decode of Payload to Staging Directory

    Expected signal: Linux auditd EXECVE records for bash/sh executing 'base64 -d' and 'chmod +x'. Syslog entries capturing the command execution. If Sysmon for Linux is deployed: process creation event with CommandLine containing 'base64 -d' and output redirect to /tmp. File creation event for /tmp/.hidden_payload. The chmod +x on a newly created file in /tmp is an additional behavioral indicator captured as a separate process creation event.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1140 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1027Obfuscated Files or InformationT1027.001Binary PaddingT1027.002Software PackingT1027.010Command ObfuscationT1059.001PowerShellT1059.003Windows Command ShellT1105Ingress Tool TransferT1204.002Malicious FileT1218.003CMSTPT1036MasqueradingT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections