Home  >  APT29  >  Results  >  F-Secure  >  Deobfuscate/Decode Files or Information

Technique Results: Deobfuscate/Decode Files or Information (T1140) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
powershell.exe executing Expand-Archive
4.A.3
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell unzipping and moving SysInternals tools. [1]
Telemetry
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. [1] [2]
Decoded an embedded DLL payload to disk using certutil.exe
certutil.exe decoding kxwn.lock
11.A.10
Technique (Alert)
A Technique alert detection (medium severity) was generated for certutil with decode switch usage. [1]
MSSP (Delayed (Manual))
An MSSP occurred containing evidence of certutil.exe decoding kxwn.lock. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1]
Read and decoded Mimikatz output from a WMI class property using PowerShell
powershell.exe executing Get-WmiInstance
14.B.6
Telemetry
Telemetry showed PowerShell reading encoded content from the WMI class. [1]