From 1cb38f55d00eb93ecd23d61b28d248b98f4b1908 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 25 May 2018 06:43:16 -0400
Subject: [PATCH] T1140 - Deobfuscate-Decode Files Or Information

---
 atomics/T1140/T1140.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 atomics/T1140/T1140.yaml

diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml
new file mode 100644
index 00000000..b55a9569
--- /dev/null
+++ b/atomics/T1140/T1140.yaml
@@ -0,0 +1,23 @@
+---
+attack_technique: T1140
+display_name: Deobfuscate/Decode Files Or Information
+
+atomic_tests:
+- name: Deobfuscate/Decode Files Or Information
+  description: |
+    Encode/Decode executable
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    executable:
+      description: name of executable
+      type: path
+      default: c:\file.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      certutil.exe -encode ${executable} file.txt
+      certutil.exe -decode file.txt ${executable}