Deobfuscate/Decode Files or Information

From enterprise
Jump to: navigation, search
Deobfuscate/Decode Files or Information
Technique
ID T1140
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User
Data Sources File monitoring, Process Monitoring, Process command-line parameters
Defense Bypassed Anti-virus, Host intrusion prevention systems, Signature-based detection, Network intrusion detection system
Contributors Matthew Demaske, Adaptforward

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.1

Examples

  • certutil has been used to decode binaries hidden inside certificate files as Base64 information.1

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting2 tools, like AppLocker,34 or Software Restriction Policies5 where appropriate.6

Detection

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.