HUNTS- Deobfuscate/Decode Files or Information (T1140)
HUNTS- Deobfuscate/Decode Files or Information (T1140)
Version: 1.0ATT&CK Technique: Deobfuscate/Decode Files or Information (T1140)
What this playbook hunts for:
-
Use of certutil.exe to deobfuscate data/files. Certutil can be used to decrypt and decode encoded strings and files. Certutil is not commonly used in many enterprise environments, making execution potentially suspicious.
-
Use of cmd.exe with the parameter copy /b deobfuscate data/files. Copy /b can be used to reassemble fragmented data. Data fragmenting is often used to evade signature based detection.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where “copy /b” is used as an argument with cmd.exe
-
Generates SIEM query for Sysmon Event ID 1 logs where “certutil.exe” is executed
What results are expected:
-
Name, process ID, and path of process (cmd or certutil.exe)
-
Deobfuscate/decode event time
-
Hostname of the computer where cmd (with copy /b) or certutil.exe was executed
-
User account which launched the process
Common follow-on actions:
-
Detect lateral movement (identify other potentially compromised hosts)
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Medium
-
Depending on the environment, systems administrators may utilize cmd.exe with “copy /b” in various scripts. This can be whitelisted to eliminate false positives.
-
In some organizations, Certutil may be more commonly used. If this is the case, it is recommended that specific, commonly used command line arguments be added to reduce false positives.