deobfuscate_decode_files_or_information.yml

name: Deobfuscate-Decode Files or Information
id: 0bd01a54-8cbe-11eb-abcd-acde48001122
version: 1
date: '2021-03-24'
author: Michael Haag, Splunk
description: Adversaries may use Obfuscated Files or Information to hide artifacts
  of an intrusion from analysis.
narrative: An example of obfuscated files is `Certutil.exe` usage to encode a portable
  executable to a certificate file, which is base64 encoded, to hide the originating
  file. There are many utilities cross-platform to encode using XOR, using compressed
  .cab files to hide contents and scripting languages that may perform similar native
  Windows tasks. Triaging an event related will require the capability to review related
  process events and file modifications. Using a tool such as CyberChef will assist
  with identifying the encoding that was used, and potentially assist with decoding
  the contents.
references:
- https://attack.mitre.org/techniques/T1140/
tags:
  analytic_story: Deobfuscate-Decode Files or Information
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection