T1140 — Deobfuscate/Decode Files or Information

Technique

T1140

Tactics

Stealth

MISP citations

0

KEV CVEs mapped

2

Community rules

18

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1140

MITRE description

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> or <code>type</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-44077
• CVE-2021-40539

Detection coverage

SigmaHQ community rules

• Potential BlackByte Ransomware Activity (emerging-threats)
• UNC4841 - SSL Certificate Exfiltration Via Openssl (emerging-threats)
• UNC4841 - Download Compressed Files From Temp.sh Using Wget (emerging-threats)
• UNC4841 - Download Tar File From Untrusted Direct IP Via Wget (emerging-threats)
• Suspicious Inbox Manipulation Rules (core)
• Linux Base64 Encoded Pipe to Shell (core)
• Linux Base64 Encoded Shebang In CLI (core)
• Linux Shell Pipe to Shell (core)
• Payload Decoded and Decrypted via Built-in Utilities (core)
• Potential Base64 Decoded From Images (core)
• PowerShell Decompress Commands (core)
• MSHTA Execution with Suspicious File Extensions (core)
• Ping Hex IP (core)
• PowerShell Base64 Encoded FromBase64String Cmdlet (core)
• Base64 Encoded PowerShell Command Detected (core)
• Suspicious XOR Encoded PowerShell Command (core)
• Potential Commandline Obfuscation Using Escape Characters (core)
• DNS-over-HTTPS Enabled by Registry (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.