forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeobfuscate_decode_files_or_information.yml
More file actions
26 lines (26 loc) · 1.09 KB
/
deobfuscate_decode_files_or_information.yml
File metadata and controls
26 lines (26 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Deobfuscate-Decode Files or Information
id: 0bd01a54-8cbe-11eb-abcd-acde48001122
version: 1
date: '2021-03-24'
author: Michael Haag, Splunk
status: production
description: Adversaries may use Obfuscated Files or Information to hide artifacts
of an intrusion from analysis.
narrative: An example of obfuscated files is `Certutil.exe` usage to encode a portable
executable to a certificate file, which is base64 encoded, to hide the originating
file. There are many utilities cross-platform to encode using XOR, using compressed
.cab files to hide contents and scripting languages that may perform similar native
Windows tasks. Triaging an event related will require the capability to review related
process events and file modifications. Using a tool such as CyberChef will assist
with identifying the encoding that was used, and potentially assist with decoding
the contents.
references:
- https://attack.mitre.org/techniques/T1140/
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection