Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0767: Analytic 0767

An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution.

EnterpriseAN0767AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Windows behavior where an attacker uses legitimate built-in utilities such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from encoded or obfuscated files. The business issue is not the tools themselves—they are common administrative utilities—but the sequence: file staging or download followed quickly by decoding and possible script or payload execution. That pattern can be an important early warning that seemingly harmless files are being converted into executable malicious content inside the environment.

Executive priority

Prioritize this as a validation point for Windows endpoint visibility and response readiness. Because the behavior relies on built-in tools, prevention and detection depend heavily on process telemetry, command-line visibility, file activity, and SOC tuning rather than simple blocklists. Leaders should ask whether teams can reconstruct the chain from file arrival to decoding to follow-on execution, and whether incident responders have enough evidence to decide quickly whether a decoded file is benign administration, software deployment activity, or suspicious payload preparation.

Technical view

For SOC and detection engineering teams, validate coverage for Windows process creation involving certutil.exe, powershell.exe, copy.exe, and similar built-in utilities when they appear soon after file staging or download and are followed by script interpreter activity or additional payload execution. Since the ATT&CK object does not provide a formal detection rule, tuning should focus on behavioral chains rather than single-process alerts. Useful context includes parent-child process relationships, command-line arguments, file creation/modification events, recent downloads or staged files, and subsequent execution from the decoded or reassembled content.

Likely telemetry

  • Windows process creation events with command-line arguments
  • Parent-child process relationships for built-in utilities and script interpreters
  • File creation, modification, rename, and extraction/reassembly activity
  • Download or file-staging evidence from browser, email, endpoint, or proxy logs where available
  • Execution events for payloads or scripts launched shortly after decoding activity

Detection direction

  • Validate that endpoint telemetry captures command lines for certutil.exe, powershell.exe, copy.exe, and related Windows utilities.
  • Correlate decoding or file manipulation utilities with recent file staging/download events and follow-on execution rather than alerting only on tool names.
  • Tune for suspicious sequences involving encoded or obfuscated containers, reassembly, extraction, and subsequent script or payload launch.
  • Account for false positives from administration, software deployment, troubleshooting, and legitimate certificate or file-handling workflows.
  • Identify blind spots where command-line logging, file activity telemetry, or parent-child process visibility is missing.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR coverage can preserve process, command-line, file, and execution context.
  • Apply least-privilege and administrative control review so routine users do not have unnecessary ability to stage and execute decoded content.
  • Use application control or script control policies where appropriate to limit unauthorized execution paths and interpreter abuse.
  • Document approved administrative and software deployment workflows so the SOC can distinguish expected decoding or copy activity from suspicious chains.
  • Test incident response playbooks against this behavior to confirm analysts can trace staged files through decoding and execution.
Analyst notes and limits

This object is a detection analytic, not a technique entry, and no tactics, relationships, or official detection logic were supplied. The strongest decision value is to use it as a coverage test for Windows behavioral correlation around built-in utility abuse after file staging or download.

The source provides a Windows platform and a behavioral description only. It does not include a detection query, data source list, associated ATT&CK techniques, procedures, actors, campaigns, or mitigation mappings. Local baselines are required to separate legitimate administrative decoding or file manipulation from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0767

An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
00976f0c0d7d2b33...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 00976f0c0d7d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0767
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use