logo
SlackReddit

T1140

Deobfuscate/Decode Files or Information

Description from ATT&CK

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)

Atomic Tests

Atomic Test #1 - Deobfuscate/Decode Files Or Information

Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder

Supported Platforms: Windows

auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8

Inputs:

NameDescriptionTypeDefault Value
executablename of executablepathC:\Windows\System32\calc.exe

Attack Commands: Run with command_prompt!

certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe

Cleanup Commands:

del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1

Atomic Test #2 - Certutil Rename and Decode

Rename certutil and decode a file. This is in reference to latest research by FireEye here

Supported Platforms: Windows

auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94

Inputs:

NameDescriptionTypeDefault Value
executablename of executable/file to decodepathC:\Windows\System32\calc.exe

Attack Commands: Run with command_prompt!

copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe

Cleanup Commands:

del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1

Atomic Test #3 - Base64 decoding with Python

Use Python to decode a base64-encoded text string and echo it to the console

Supported Platforms: Linux, macOS

auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608

Inputs:

NameDescriptionTypeDefault Value
messageMessage to print to the screenstringHello from Atomic Red Team test T1140!
encoded_fileFile to temporarily save encoded textpath/tmp/T1140.encoded

Attack Commands: Run with sh!

ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"

Dependencies: Run with sh!

Description: Python must be present
Check Prereq Commands:
which python3
Get Prereq Commands:
echo "Please install Python 3"

Atomic Test #4 - Base64 decoding with Perl

Use Perl to decode a base64-encoded text string and echo it to the console

Supported Platforms: Linux, macOS

auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a

Inputs:

NameDescriptionTypeDefault Value
messageMessage to print to the screenstringHello from Atomic Red Team test T1140!
encoded_fileFile to temporarily save encoded textpath/tmp/T1140.encoded

Attack Commands: Run with sh!

ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'

Dependencies: Run with sh!

Description: Perl must be present
Check Prereq Commands:
which perl
Get Prereq Commands:
echo "Please install Perl"

Atomic Test #5 - Base64 decoding with shell utilities

Use common shell utilities to decode a base64-encoded text string and echo it to the console

Supported Platforms: Linux, macOS

auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e

Inputs:

NameDescriptionTypeDefault Value
messageMessage to print to the screenstringHello from Atomic Red Team test T1140!
encoded_fileFile to temporarily save encoded textpath/tmp/T1140.encoded

Attack Commands: Run with sh!

ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"

Atomic Test #6 - Base64 decoding with shell utilities (freebsd)

Use common shell utilities to decode a base64-encoded text string and echo it to the console

Supported Platforms: Linux

auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d

Inputs:

NameDescriptionTypeDefault Value
messageMessage to print to the screenstringHello from Atomic Red Team test T1140!
encoded_fileFile to temporarily save encoded textpath/tmp/T1140.encoded

Attack Commands: Run with sh!

ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r

Atomic Test #7 - FreeBSD b64encode Shebang in CLI

Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.

Supported Platforms: Linux

auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac

Inputs:

NameDescriptionTypeDefault Value
bash_encodedEncodedstringIyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encodedEncodedstringIyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encodedEncodedstringIyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encodedEncodedstringIyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK

Attack Commands: Run with sh!

echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh

Dependencies: Run with sh!

Description: b64decode must be present
Check Prereq Commands:
which b64decode
Get Prereq Commands:
echo "please install b64decode"

Atomic Test #8 - Hex decoding with shell utilities

Use common shell utilities to decode a hex-encoded text string and echo it to the console

Supported Platforms: Linux, macOS

auto_generated_guid: 005943f9-8dd5-4349-8b46-0313c0a9f973

Inputs:

NameDescriptionTypeDefault Value
messageMessage to print to the screenstringHello from Atomic Red Team test T1140!
encoded_fileFile to temporarily save encoded textpath/tmp/T1140.encoded

Attack Commands: Run with sh!

ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p

Dependencies: Run with sh!

Description: xxd must be present
Check Prereq Commands:
which xxd
Get Prereq Commands:
echo "Please install xxd"

Atomic Test #9 - Linux Base64 Encoded Shebang in CLI

Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.

Supported Platforms: Linux, macOS

auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d

Inputs:

NameDescriptionTypeDefault Value
bash_encodedEncodedstringIyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encodedEncodedstringIyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encodedEncodedstringIyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encodedEncodedstringIyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK

Attack Commands: Run with sh!

echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash

Dependencies: Run with sh!

Description: base64 must be present
Check Prereq Commands:
which base64
Get Prereq Commands:
echo "please install base64"

Atomic Test #10 - XOR decoding and command execution using Python

An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.

Supported Platforms: Linux, macOS

auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc

Inputs:

NameDescriptionTypeDefault Value
xor_keyKey used to decrypt the commandstringwaEHleblxiQjoxFJQaIMLdHKz
encrypted_commandEncrypted command that will be executedstringAAkqKQEM

Attack Commands: Run with bash!

python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'

Dependencies: Run with bash!

Description: Python3 must be installed
Check Prereq Commands:
which python3
Get Prereq Commands:
echo "Install Python3"

Atomic Test #11 - Expand CAB with expand.exe

Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives. Upon success, art-expand-source.txt is extracted next to the CAB.

Supported Platforms: Windows

auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11

Inputs:

NameDescriptionTypeDefault Value
cab_pathPath to the CAB to expand (created if missing)path%TEMP%\art-expand-test.cab
output_dirDestination directorypath%TEMP%\art-expand-out

Attack Commands: Run with command_prompt!

mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd

Cleanup Commands:

del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1

T1137

Office Application Startup

T1176

Browser Extensions

On this page

Atomic Tests
Atomic Test #1 - Deobfuscate/Decode Files Or Information
Inputs:
Attack Commands: Run with command_prompt!
Cleanup Commands:
Atomic Test #2 - Certutil Rename and Decode
Inputs:
Attack Commands: Run with command_prompt!
Cleanup Commands:
Atomic Test #3 - Base64 decoding with Python
Inputs:
Attack Commands: Run with sh!
Dependencies: Run with sh!
Description: Python must be present
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #4 - Base64 decoding with Perl
Inputs:
Attack Commands: Run with sh!
Dependencies: Run with sh!
Description: Perl must be present
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #5 - Base64 decoding with shell utilities
Inputs:
Attack Commands: Run with sh!
Atomic Test #6 - Base64 decoding with shell utilities (freebsd)
Inputs:
Attack Commands: Run with sh!
Atomic Test #7 - FreeBSD b64encode Shebang in CLI
Inputs:
Attack Commands: Run with sh!
Dependencies: Run with sh!
Description: b64decode must be present
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #8 - Hex decoding with shell utilities
Inputs:
Attack Commands: Run with sh!
Dependencies: Run with sh!
Description: xxd must be present
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #9 - Linux Base64 Encoded Shebang in CLI
Inputs:
Attack Commands: Run with sh!
Dependencies: Run with sh!
Description: base64 must be present
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #10 - XOR decoding and command execution using Python
Inputs:
Attack Commands: Run with bash!
Dependencies: Run with bash!
Description: Python3 must be installed
Check Prereq Commands:
Get Prereq Commands:
Atomic Test #11 - Expand CAB with expand.exe
Inputs:
Attack Commands: Run with command_prompt!
Cleanup Commands: