Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
45 lines
1.2 KiB
YAML
45 lines
1.2 KiB
YAML
---
|
|
attack_technique: T1140
|
|
display_name: Deobfuscate/Decode Files Or Information
|
|
|
|
atomic_tests:
|
|
- name: Deobfuscate/Decode Files Or Information
|
|
description: |
|
|
Encode/Decode executable
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
executable:
|
|
description: name of executable
|
|
type: path
|
|
default: c:\file.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
certutil.exe -encode #{executable} file.txt
|
|
certutil.exe -decode file.txt #{executable}
|
|
|
|
- name: Certutil Rename and Decode
|
|
description: |
|
|
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
executable:
|
|
description: name of executable/file to decode
|
|
type: path
|
|
default: c:\file.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
|
|
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
|