De-obfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.

Example:

Here is a simple obfuscation trick from PowerShell that executes base64 encoded commands.

What is that base64 encoded string, Get-Process.

For some reason when I encoded using the web or linux the string is always incorrect so I used PowerShells method for encoding strings to base64

Update: Thanks to a user init5 it was pointed out that we need to make sure to be using UTF-16LE for hen we are encoding on Linux to have work on Windows

And this decodes correctly on Linux.

Linux

A simple method used in Linux environments is base64 encoding a binary, the strings can be deobfuscated and built back into a binary

PreviousBypass User Account Control NextCredential Access

Last updated 4 months ago

Was this helpful?