T1027.009: Embedded Payloads

View on MITRE ATT&CK	T1027.009
Tactic(s)	Defense Evasion
Associated CAPEC Patterns	Leverage Executable Code in Non-Executable Files (CAPEC-35) , Embed Virus into DLL (CAPEC-448) , Embedding Scripts within Scripts (CAPEC-19)

Data from MITRE ATT&CK®:

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)

Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage)

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021)

Embedded content may also be used as Process Injection payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

KAPEKA A novel backdoor spotted in Eastern Europe

This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...

View Source

Report

Evasive Panda leverages Monlam Festival to target Tibetans

This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...

View Source

Report

StopRansomware: Phobos Ransomware

This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...

View Source

Report

Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections

Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...

View Source

Mitigations for this technique

MITRE ATT&CK Mitigations

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

How to detect this technique

MITRE ATT&CK Data Components

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Sigma Detections for this Technique

Powershell Token Obfuscation - Process Creation

windows process creation

Powershell Token Obfuscation - Powershell

windows ps script

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
SI-3: Malicious Code Protection
SI-4: System Monitoring
SI-7: Software, Firmware, and Information Integrity
SI-2: Flaw Remediation