Detect Deobfuscate/Decode Files or Information
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from the analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.
One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.
Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.
Tactic: Defense Evasion
Permissions Required: User
Data Sources: File monitoring, Process monitoring, Process command-line parameters
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Signature-based detection, Network intrusion detection system
Mitigation of decode files
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the auction may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.
Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for zipping and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from the normal user and administrator behavior.
The resource of Deobfuscate/Decode Files or Information with this free Splunk Detection Rule:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\certutil.exe” CommandLine IN (“*encode*” , “*decode*”))