# T1140 - Deobfuscate/Decode Files or Information
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1140)
<blockquote>

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> or <code>type</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Deobfuscate/Decode Files Or Information](#atomic-test-1---deobfuscatedecode-files-or-information)

- [Atomic Test #2 - Certutil Rename and Decode](#atomic-test-2---certutil-rename-and-decode)

- [Atomic Test #3 - Base64 decoding with Python](#atomic-test-3---base64-decoding-with-python)

- [Atomic Test #4 - Base64 decoding with Perl](#atomic-test-4---base64-decoding-with-perl)

- [Atomic Test #5 - Base64 decoding with shell utilities](#atomic-test-5---base64-decoding-with-shell-utilities)

- [Atomic Test #6 - Base64 decoding with shell utilities (freebsd)](#atomic-test-6---base64-decoding-with-shell-utilities-freebsd)

- [Atomic Test #7 - FreeBSD b64encode Shebang in CLI](#atomic-test-7---freebsd-b64encode-shebang-in-cli)

- [Atomic Test #8 - Hex decoding with shell utilities](#atomic-test-8---hex-decoding-with-shell-utilities)

- [Atomic Test #9 - Linux Base64 Encoded Shebang in CLI](#atomic-test-9---linux-base64-encoded-shebang-in-cli)

- [Atomic Test #10 - XOR decoding and command execution using Python](#atomic-test-10---xor-decoding-and-command-execution-using-python)

- [Atomic Test #11 - Expand CAB with expand.exe](#atomic-test-11---expand-cab-with-expandexe)


<br/>

## Atomic Test #1 - Deobfuscate/Decode Files Or Information
Encode/Decode executable
Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder

**Supported Platforms:** Windows


**auto_generated_guid:** dc6fe391-69e6-4506-bd06-ea5eeb4082f8





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable | name of executable | path | C:&#92;Windows&#92;System32&#92;calc.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
```

#### Cleanup Commands:
```cmd
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1
```





<br/>
<br/>

## Atomic Test #2 - Certutil Rename and Decode
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)

**Supported Platforms:** Windows


**auto_generated_guid:** 71abc534-3c05-4d0c-80f7-cbe93cb2aa94





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable | name of executable/file to decode | path | C:&#92;Windows&#92;System32&#92;calc.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
```

#### Cleanup Commands:
```cmd
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
```





<br/>
<br/>

## Atomic Test #3 - Base64 decoding with Python
Use Python to decode a base64-encoded text string and echo it to the console

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 356dc0e8-684f-4428-bb94-9313998ad608





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!|
| encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|


#### Attack Commands: Run with `sh`! 


```sh
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
```




#### Dependencies:  Run with `sh`!
##### Description: Python must be present
##### Check Prereq Commands:
```sh
which python3
```
##### Get Prereq Commands:
```sh
echo "Please install Python 3"
```




<br/>
<br/>

## Atomic Test #4 - Base64 decoding with Perl
Use Perl to decode a base64-encoded text string and echo it to the console

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 6604d964-b9f6-4d4b-8ce8-499829a14d0a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!|
| encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|


#### Attack Commands: Run with `sh`! 


```sh
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
```




#### Dependencies:  Run with `sh`!
##### Description: Perl must be present
##### Check Prereq Commands:
```sh
which perl
```
##### Get Prereq Commands:
```sh
echo "Please install Perl"
```




<br/>
<br/>

## Atomic Test #5 - Base64 decoding with shell utilities
Use common shell utilities to decode a base64-encoded text string and echo it to the console

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!|
| encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|


#### Attack Commands: Run with `sh`! 


```sh
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
```






<br/>
<br/>

## Atomic Test #6 - Base64 decoding with shell utilities (freebsd)
Use common shell utilities to decode a base64-encoded text string and echo it to the console

**Supported Platforms:** Linux


**auto_generated_guid:** b6097712-c42e-4174-b8f2-4b1e1a5bbb3d





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!|
| encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|


#### Attack Commands: Run with `sh`! 


```sh
ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
```






<br/>
<br/>

## Atomic Test #7 - FreeBSD b64encode Shebang in CLI
Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.

**Supported Platforms:** Linux


**auto_generated_guid:** 18ee2002-66e8-4518-87c5-c0ec9c8299ac





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|


#### Attack Commands: Run with `sh`! 


```sh
echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh
```




#### Dependencies:  Run with `sh`!
##### Description: b64decode must be present
##### Check Prereq Commands:
```sh
which b64decode
```
##### Get Prereq Commands:
```sh
echo "please install b64decode"
```




<br/>
<br/>

## Atomic Test #8 - Hex decoding with shell utilities
Use common shell utilities to decode a hex-encoded text string and echo it to the console

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 005943f9-8dd5-4349-8b46-0313c0a9f973





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| message | Message to print to the screen | string | Hello from Atomic Red Team test T1140!|
| encoded_file | File to temporarily save encoded text | path | /tmp/T1140.encoded|


#### Attack Commands: Run with `sh`! 


```sh
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
```




#### Dependencies:  Run with `sh`!
##### Description: xxd must be present
##### Check Prereq Commands:
```sh
which xxd
```
##### Get Prereq Commands:
```sh
echo "Please install xxd"
```




<br/>
<br/>

## Atomic Test #9 - Linux Base64 Encoded Shebang in CLI
Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 3a15c372-67c1-4430-ac8e-ec06d641ce4d





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
| sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|


#### Attack Commands: Run with `sh`! 


```sh
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
```




#### Dependencies:  Run with `sh`!
##### Description: base64 must be present
##### Check Prereq Commands:
```sh
which base64
```
##### Get Prereq Commands:
```sh
echo "please install base64"
```




<br/>
<br/>

## Atomic Test #10 - XOR decoding and command execution using Python
An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** c3b65cd5-ee51-4e98-b6a3-6cbdec138efc





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xor_key | Key used to decrypt the command | string | waEHleblxiQjoxFJQaIMLdHKz|
| encrypted_command | Encrypted command that will be executed | string | AAkqKQEM|


#### Attack Commands: Run with `bash`! 


```bash
python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'
```




#### Dependencies:  Run with `bash`!
##### Description: Python3 must be installed
##### Check Prereq Commands:
```bash
which python3
```
##### Get Prereq Commands:
```bash
echo "Install Python3"
```




<br/>
<br/>

## Atomic Test #11 - Expand CAB with expand.exe
Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
Upon success, art-expand-source.txt is extracted next to the CAB.

**Supported Platforms:** Windows


**auto_generated_guid:** 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cab_path | Path to the CAB to expand (created if missing) | path | %TEMP%&#92;art-expand-test.cab|
| output_dir | Destination directory | path | %TEMP%&#92;art-expand-out|


#### Attack Commands: Run with `command_prompt`! 


```cmd
mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd
```

#### Cleanup Commands:
```cmd
del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
del "#{cab_path}" >nul 2>&1
rmdir "#{output_dir}" /s /q >nul 2>&1
```





<br/>