T1140
Deobfuscate/Decode Files or Information
Description from ATT&CK
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)
Atomic Tests
Atomic Test #1 - Deobfuscate/Decode Files Or Information
Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
Supported Platforms: windows
auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| executable | name of executable | Path | C:\Windows\System32\calc.exe |
Attack Commands: Run with command_prompt!
1
2
3
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
Cleanup Commands:
1
2
3
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1
Atomic Test #2 - Certutil Rename and Decode
Rename certutil and decode a file. This is in reference to latest research by FireEye here
Supported Platforms: windows
auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| executable | name of executable/file to decode | Path | C:\Windows\System32\calc.exe |
Attack Commands: Run with command_prompt!
1
2
3
4
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
Cleanup Commands:
1
2
3
4
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
Atomic Test #3 - Base64 decoding with Python
Use Python to decode a base64-encoded text string and echo it to the console
Supported Platforms: linux,macos
auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| message | Message to print to the screen | String | Hello from Atomic Red Team test T1140! |
| encoded_file | File to temporarily save encoded text | Path | /tmp/T1140.encoded |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
Dependencies: Run with sh!
Description: Python must be present
Check Prereq Commands:
1
2
which python3
Get Prereq Commands:
1
2
echo "Please install Python 3"
Atomic Test #4 - Base64 decoding with Perl
Use Perl to decode a base64-encoded text string and echo it to the console
Supported Platforms: linux,macos
auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| message | Message to print to the screen | String | Hello from Atomic Red Team test T1140! |
| encoded_file | File to temporarily save encoded text | Path | /tmp/T1140.encoded |
Attack Commands: Run with sh!
1
2
3
4
5
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
Dependencies: Run with sh!
Description: Perl must be present
Check Prereq Commands:
1
2
which perl
Get Prereq Commands:
1
2
echo "Please install Perl"
Atomic Test #5 - Base64 decoding with shell utilities
Use common shell utilities to decode a base64-encoded text string and echo it to the console
Supported Platforms: linux,macos
auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| message | Message to print to the screen | String | Hello from Atomic Red Team test T1140! |
| encoded_file | File to temporarily save encoded text | Path | /tmp/T1140.encoded |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
9
10
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
Atomic Test #6 - Hex decoding with shell utilities
Use common shell utilities to decode a hex-encoded text string and echo it to the console
Supported Platforms: linux,macos
auto_generated_guid: 005943f9-8dd5-4349-8b46-0313c0a9f973
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| message | Message to print to the screen | String | Hello from Atomic Red Team test T1140! |
| encoded_file | File to temporarily save encoded text | Path | /tmp/T1140.encoded |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
9
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
Dependencies: Run with sh!
Description: xxd must be present
Check Prereq Commands:
1
2
which xxd
Get Prereq Commands:
1
2
echo "Please install xxd"