Ctrl+K

T1140 - Deobfuscate/Decode Files or Information

Contents

T1140 - Deobfuscate/Decode Files or Information#

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)

Atomic Tests#

Atomic Test #1 - Deobfuscate/Decode Files Or InformationEncode/Decode executable#

Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder Supported Platforms: windows#### Attack Commands: Run with command_prompt

certutil -encode C:\Windows\System32\calc.exe %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe

Invoke-AtomicTest T1140 -TestNumbers 1

Cleanup:#

del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1

Invoke-AtomicTest T1140 -TestNumbers 1 -Cleanup

Atomic Test #2 - Certutil Rename and DecodeRename certutil and decode a file. This is in reference to latest research by FireEye here#

Supported Platforms: windows#### Attack Commands: Run with command_prompt

copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode C:\Windows\System32\calc.exe %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe

Invoke-AtomicTest T1140 -TestNumbers 2

Cleanup:#

del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1

Invoke-AtomicTest T1140 -TestNumbers 2 -Cleanup

Atomic Test #3 - Base64 decoding with Python#

Use Python to decode a base64-encoded text string and echo it to the console

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Python must be present#
Check Prereq Commands:#
which python3
Get Prereq Commands:#
echo "Please install Python 3"

Invoke-AtomicTest T1140 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with sh#

ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("Hello from Atomic Red Team test T1140!".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > /tmp/T1140.encoded && python3 -c "import base64;dec=base64.b64decode(open('/tmp/T1140.encoded').read());print(dec.decode())"

Invoke-AtomicTest T1140 -TestNumbers 3

Atomic Test #4 - Base64 decoding with Perl#

Use Perl to decode a base64-encoded text string and echo it to the console

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Perl must be present#
Check Prereq Commands:#
which perl
Get Prereq Commands:#
echo "Please install Perl"

Invoke-AtomicTest T1140 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with sh#

ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('Hello from Atomic Red Team test T1140!'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > /tmp/T1140.encoded && perl -le 'use MIME::Base64;open($f,"<","/tmp/T1140.encoded");print(decode_base64(<$f>));'

Invoke-AtomicTest T1140 -TestNumbers 4

Atomic Test #5 - Base64 decoding with shell utilitiesUse common shell utilities to decode a base64-encoded text string and echo it to the console#

Supported Platforms: linux, macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > /tmp/T1140.encoded && base64 -d /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && base64 -d < /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | base64 -d
echo $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"

Invoke-AtomicTest T1140 -TestNumbers 5

Atomic Test #6 - Base64 decoding with shell utilities (freebsd)Use common shell utilities to decode a base64-encoded text string and echo it to the console#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > /tmp/T1140.encoded && b64encode -r /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && b64decode -r < /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | b64decode -r
echo $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | b64decode -r

Invoke-AtomicTest T1140 -TestNumbers 6

Atomic Test #7 - FreeBSD b64encode Shebang in CLI#

Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: b64decode must be present#
Check Prereq Commands:#
which b64decode
Get Prereq Commands:#
echo "please install b64decode"

Invoke-AtomicTest T1140 -TestNumbers 7 -GetPreReqs

Attack Commands: Run with sh#

echo IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh
echo IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh
echo IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh
echo IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK | b64decode -r | sh

Invoke-AtomicTest T1140 -TestNumbers 7

Atomic Test #8 - Hex decoding with shell utilities#

Use common shell utilities to decode a hex-encoded text string and echo it to the console

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: xxd must be present#
Check Prereq Commands:#
which xxd
Get Prereq Commands:#
echo "Please install xxd"

Invoke-AtomicTest T1140 -TestNumbers 8 -GetPreReqs

Attack Commands: Run with sh#

ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > /tmp/T1140.encoded && xxd -r -p /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && xxd -r -p < /tmp/T1140.encoded
echo $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | xxd -r -p
echo $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | xxd -r -p

Invoke-AtomicTest T1140 -TestNumbers 8

Atomic Test #9 - Linux Base64 Encoded Shebang in CLI#

Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen here by TrendMicro, as well as LinPEAS. Also a there is a great Sigma rule here for it.

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: base64 must be present#
Check Prereq Commands:#
which base64
Get Prereq Commands:#
echo "please install base64"

Invoke-AtomicTest T1140 -TestNumbers 9 -GetPreReqs

Attack Commands: Run with sh#

echo IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash
echo IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash
echo IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash
echo IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK | base64 -d | bash

Invoke-AtomicTest T1140 -TestNumbers 9

Atomic Test #10 - XOR decoding and command execution using Python#

An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim’s machine. This test uses Python to decode and execute commands on the machine. Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with bash!#

Description: Python3 must be installed#
Check Prereq Commands:#
which python3
Get Prereq Commands:#
echo "Install Python3"

Invoke-AtomicTest T1140 -TestNumbers 10 -GetPreReqs

Attack Commands: Run with bash#

python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "AAkqKQEM"; key = "waEHleblxiQjoxFJQaIMLdHKz"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'```

Invoke-AtomicTest T1140 -TestNumbers 10

Detection#

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.

Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

Shield Active Defense#

API Monitoring#

Monitor local APIs that might be used by adversary tools and activity.

API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.

Opportunity#

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case#

A defender can monitor and analyze operating system functions calls for detection and alerting.

Procedures#

Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further. Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time.

Contents