title: Deobfuscate/Decode Files or Information (T1140)
id: df00tech-t1140
status: experimental
description: "Adversaries may use Obfuscated Files or Information to conceal artifacts of an intrusion. They require separate mechanisms to decode or deobfuscate that information before use. Common methods include using certutil.exe to Base64-decode payloads disguised as certificate files, PowerShell's [Convert]::FromBase64String() to decode strings in memory, cmd.exe copy /b or type commands to reassemble binary fragments, and scripting languages (Python, VBScript) to perform XOR or RC4 decryption at runtime. These techniques allow adversaries to bypass static signature detection by staging encoded payloads and decoding them only at execution time."
references:
  - https://attack.mitre.org/techniques/T1140/
  - https://df00tech.com/detections/T1140
author: df00tech
date: 2026/04/18
tags:
  - attack.t1140
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installation scripts using certutil to download and decode legitimate certificate files during provisioning workflows
  - "IT automation tools (SCCM, Ansible, Chef) using PowerShell Base64 encoding to safely pass configuration parameters that contain special characters"
  - Security scanning or vulnerability assessment tools that use certutil for certificate chain validation and CRL download
  - Legitimate software updaters that use expand.exe or extrac32.exe to unpack update packages delivered as CAB files
  - Developers testing encoding/decoding routines on workstations — typically identifiable by IDE parent processes and developer machine naming conventions
level: medium