T1140

Deobfuscate/Decode Files or Information

Deobfuscate/Decode Files or Information (T1140) is a MITRE ATT&CK technique associated with Stealth . Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

Technique ID: T1140
Difficulty: Intermediate
Tactics: Stealth
Platforms: ESXiLinuxmacOSWindows

Executive Summary

Deobfuscate/Decode Files or Information (T1140) is a MITRE ATT&CK technique associated with Stealth. Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

Why Attackers Use It

Attackers use Deobfuscate/Decode Files or Information because it provides a reliable way to advance their objective within the Stealth tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> or <code>type</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Deobfuscate/Decode Files or Information to achieve its tactical objective (Stealth).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents Deobfuscate/Decode Files or Information. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with Deobfuscate/Decode Files or Information and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.003
T1005
T1008
T1012
T1014
T1016
T1016.002
T1027
T1027.001
T1027.002
T1027.003
T1027.007
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1027.016
T1036
T1036.004
T1036.005
T1036.008
T1037
T1037.004
T1040
T1041
T1048
T1048.002
T1048.003
T1053.005
T1055
T1055.001
T1055.002
T1055.012
T1056
T1056.002
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1059.008
T1069
T1070.004
T1070.006
T1071
T1071.001
T1071.003
T1071.004
T1074
T1074.001
T1080
T1082
T1083
T1087.003
T1090
T1090.001
T1095
T1102
T1102.001
T1102.003
T1104
T1105
T1106
T1112
T1114.001
T1124
T1127.001
T1129
T1132.001
T1132.002
T1134.001
T1134.002
T1135
T1137.001
T1137.006
T1176.001
T1195
T1204
T1204.002
T1205
T1205.001
T1205.002
T1217
T1218.004
T1218.007
T1218.010
T1218.011
T1222.002
T1480
T1480.001
T1480.002
T1484.001
T1489
T1496.001
T1497
T1497.001
T1497.002
T1497.003
T1505.003
T1505.004
T1518
T1518.001
T1531
T1543
T1543.001
T1543.002
T1543.004
T1546.004
T1546.011
T1547.001
T1547.006
T1548.002
T1552.002
T1552.004
T1553.001
T1553.002
T1553.005
T1554
T1555.001
T1555.003
T1555.004
T1556
T1556.003
T1559
T1559.001
T1560
T1560.002
T1561.001
T1564
T1564.001
T1564.003
T1564.004
T1565.002
T1566.001
T1567
T1567.002
T1568.001
T1568.002
T1571
T1572
T1573
T1573.001
T1573.002
T1574
T1574.001
T1574.006
T1584.006
T1598
T1614
T1614.001
T1620
T1622
T1653
T1657
T1665
T1678
T1679
T1685
T1685.006
T1688
T1690

T1001Data Obfuscation T1001.001Junk Data T1001.003Protocol or Service Impersonation T1005Data from Local System T1008Fallback Channels T1012Query Registry T1014Rootkit T1016System Network Configuration Discovery T1016.002Wi-Fi Discovery T1027Obfuscated Files or Information T1027.001Binary Padding T1027.002Software Packing T1027.003Steganography T1027.007Dynamic API Resolution T1027.009Embedded Payloads T1027.010Command Obfuscation T1027.011Fileless Storage T1027.013Encrypted/Encoded File T1027.015Compression T1027.016Junk Code Insertion T1036Masquerading T1036.004Masquerade Task or Service T1036.005Match Legitimate Resource Name or Location T1036.008Masquerade File Type T1037Boot or Logon Initialization Scripts T1037.004RC Scripts T1040Network Sniffing T1041Exfiltration Over C2 Channel T1048Exfiltration Over Alternative Protocol T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1053.005Scheduled Task T1055Process Injection T1055.001Dynamic-link Library Injection T1055.002Portable Executable Injection T1055.012Process Hollowing T1056Input Capture T1056.002GUI Input Capture T1057Process Discovery T1059Command and Scripting Interpreter T1059.001PowerShell T1059.002AppleScript T1059.003Windows Command Shell T1059.004Unix Shell T1059.005Visual Basic T1059.006Python T1059.007JavaScript T1059.008Network Device CLI T1069Permission Groups Discovery T1070.004File Deletion T1070.006Timestomp T1071Application Layer Protocol T1071.001Web Protocols T1071.003Mail Protocols T1071.004DNS T1074Data Staged T1074.001Local Data Staging T1080Taint Shared Content T1082System Information Discovery T1083File and Directory Discovery T1087.003Email Account T1090Proxy T1090.001Internal Proxy T1095Non-Application Layer Protocol T1102Web Service T1102.001Dead Drop Resolver T1102.003One-Way Communication T1104Multi-Stage Channels T1105Ingress Tool Transfer T1106Native API T1112Modify Registry T1114.001Local Email Collection T1124System Time Discovery T1127.001MSBuild T1129Shared Modules T1132.001Standard Encoding T1132.002Non-Standard Encoding T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1135Network Share Discovery T1137.001Office Template Macros T1137.006Add-ins T1176.001Browser Extensions T1195Supply Chain Compromise T1204User Execution T1204.002Malicious File T1205Traffic Signaling T1205.001Port Knocking T1205.002Socket Filters T1217Browser Information Discovery T1218.004InstallUtil T1218.007Msiexec T1218.010Regsvr32 T1218.011Rundll32 T1222.002Linux and Mac Permissions T1480Execution Guardrails T1480.001Environmental Keying T1480.002Mutual Exclusion T1484.001Group Policy Modification T1489Service Stop T1496.001Compute Hijacking T1497Virtualization/Sandbox Evasion T1497.001System Checks T1497.002User Activity Based Checks T1497.003Time Based Checks T1505.003Web Shell T1505.004IIS Components T1518Software Discovery T1518.001Security Software Discovery T1531Account Access Removal T1543Create or Modify System Process T1543.001Launch Agent T1543.002Systemd Service T1543.004Launch Daemon T1546.004Unix Shell Configuration Modification T1546.011Application Shimming T1547.001Registry Run Keys / Startup Folder T1547.006Kernel Modules and Extensions T1548.002Bypass User Account Control T1552.002Credentials in Registry T1552.004Private Keys T1553.001Gatekeeper Bypass T1553.002Code Signing T1553.005Mark-of-the-Web Bypass T1554Compromise Host Software Binary T1555.001Keychain T1555.003Credentials from Web Browsers T1555.004Windows Credential Manager T1556Modify Authentication Process T1556.003Pluggable Authentication Modules T1559Inter-Process Communication T1559.001Component Object Model T1560Archive Collected Data T1560.002Archive via Library T1561.001Disk Content Wipe T1564Hide Artifacts T1564.001Hidden Files and Directories T1564.003Hidden Window T1564.004NTFS File Attributes T1565.002Transmitted Data Manipulation T1566.001Spearphishing Attachment T1567Exfiltration Over Web Service T1567.002Exfiltration to Cloud Storage T1568.001Fast Flux DNS T1568.002Domain Generation Algorithms T1571Non-Standard Port T1572Protocol Tunneling T1573Encrypted Channel T1573.001Symmetric Cryptography T1573.002Asymmetric Cryptography T1574Hijack Execution Flow T1574.001DLL T1574.006Dynamic Linker Hijacking T1584.006Web Services T1598Phishing for Information T1614System Location Discovery T1614.001System Language Discovery T1620Reflective Code Loading T1622Debugger Evasion T1653Power Settings T1657Financial Theft T1665Hide Infrastructure T1678Delay Execution T1679Selective Exclusion T1685Disable or Modify Tools T1685.006Clear Linux or Mac System Logs T1688Safe Mode Boot T1690Prevent Command History Logging

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Deobfuscate/Decode Files or Information to achieve its tactical objective (Stealth).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with Deobfuscate/Decode Files or Information and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.003
T1005
T1008
T1012
T1014
T1016
T1016.002
T1027
T1027.001
T1027.002
T1027.003
T1027.007
T1027.009
T1027.010
T1027.011
T1027.013
T1027.015
T1027.016
T1036
T1036.004
T1036.005
T1036.008
T1037
T1037.004
T1040
T1041
T1048
T1048.002
T1048.003
T1053.005
T1055
T1055.001
T1055.002
T1055.012
T1056
T1056.002
T1057
T1059
T1059.001
T1059.002
T1059.003
T1059.004
T1059.005
T1059.006
T1059.007
T1059.008
T1069
T1070.004
T1070.006
T1071
T1071.001
T1071.003
T1071.004
T1074
T1074.001
T1080
T1082
T1083
T1087.003
T1090
T1090.001
T1095
T1102
T1102.001
T1102.003
T1104
T1105
T1106
T1112
T1114.001
T1124
T1127.001
T1129
T1132.001
T1132.002
T1134.001
T1134.002
T1135
T1137.001
T1137.006
T1176.001
T1195
T1204
T1204.002
T1205
T1205.001
T1205.002
T1217
T1218.004
T1218.007
T1218.010
T1218.011
T1222.002
T1480
T1480.001
T1480.002
T1484.001
T1489
T1496.001
T1497
T1497.001
T1497.002
T1497.003
T1505.003
T1505.004
T1518
T1518.001
T1531
T1543
T1543.001
T1543.002
T1543.004
T1546.004
T1546.011
T1547.001
T1547.006
T1548.002
T1552.002
T1552.004
T1553.001
T1553.002
T1553.005
T1554
T1555.001
T1555.003
T1555.004
T1556
T1556.003
T1559
T1559.001
T1560
T1560.002
T1561.001
T1564
T1564.001
T1564.003
T1564.004
T1565.002
T1566.001
T1567
T1567.002
T1568.001
T1568.002
T1571
T1572
T1573
T1573.001
T1573.002
T1574
T1574.001
T1574.006
T1584.006
T1598
T1614
T1614.001
T1620
T1622
T1653
T1657
T1665
T1678
T1679
T1685
T1685.006
T1688
T1690

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques