Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)
Atomic Test #6 - Base64 decoding with shell utilities (freebsd)
Atomic Test #10 - XOR decoding and command execution using Python
Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
Supported Platforms: Windows
auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8
| Name | Description | Type | Default Value | |——|————-|——|—————| | executable | name of executable | path | C:\Windows\System32\calc.exe|
1
command_prompt
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1
Rename certutil and decode a file. This is in reference to latest research by FireEye here
Supported Platforms: Windows
auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
| Name | Description | Type | Default Value | |——|————-|——|—————| | executable | name of executable/file to decode | path | C:\Windows\System32\calc.exe|
1
command_prompt
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
Use Python to decode a base64-encoded text string and echo it to the console
Supported Platforms: Linux, macOS
auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608
| Name | Description | Type | Default Value | |——|————-|——|—————| | message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!| | encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|
1
sh
1
2
3
4
5
6
7
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
1
sh
1
which python3
1
echo "Please install Python 3"
Use Perl to decode a base64-encoded text string and echo it to the console
Supported Platforms: Linux, macOS
auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a
| Name | Description | Type | Default Value | |——|————-|——|—————| | message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!| | encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|
1
sh
1
2
3
4
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
1
sh
1
which perl
1
echo "Please install Perl"
Use common shell utilities to decode a base64-encoded text string and echo it to the console
Supported Platforms: Linux, macOS
auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e
| Name | Description | Type | Default Value | |——|————-|——|—————| | message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!| | encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|
1
sh
1
2
3
4
5
6
7
8
9
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
Use common shell utilities to decode a base64-encoded text string and echo it to the console
Supported Platforms: Linux
auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d
| Name | Description | Type | Default Value | |——|————-|——|—————| | message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!| | encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|
1
sh
1
2
3
4
5
6
7
8
ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.
Supported Platforms: Linux
auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac
| Name | Description | Type | Default Value | |——|————-|——|—————| | bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
1
sh
1
2
3
4
echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh
1
sh
1
which b64decode
1
echo "please install b64decode"
Use common shell utilities to decode a hex-encoded text string and echo it to the console
Supported Platforms: Linux, macOS
auto_generated_guid: 005943f9-8dd5-4349-8b46-0313c0a9f973
| Name | Description | Type | Default Value | |——|————-|——|—————| | message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!| | encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|
1
sh
1
2
3
4
5
6
7
8
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
1
sh
1
which xxd
1
echo "Please install xxd"
Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.
Supported Platforms: Linux, macOS
auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
| Name | Description | Type | Default Value | |——|————-|——|—————| | bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=| | sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
1
sh
1
2
3
4
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
1
sh
1
which base64
1
echo "please install base64"
An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim’s machine. This test uses Python to decode and execute commands on the machine.
Supported Platforms: Linux, macOS
auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
| Name | Description | Type | Default Value | |——|————-|——|—————| | xor_key | Key used to decrypt the command | string | waEHleblxiQjoxFJQaIMLdHKz| | encrypted_command | Encrypted command that will be executed | string | AAkqKQEM|
1
bash
1
python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'
1
bash
1
which python3
1
echo "Install Python3"