T1027: Obfuscated Files or Information
| View on MITRE ATT&CK | T1027 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Targeted Malware (CAPEC-542) , Leverage Alternate Encoding (CAPEC-267) |
Data from MITRE ATT&CK®:
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Mitigations for this technique
MITRE ATT&CK Mitigations
Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.How to detect this technique
MITRE ATT&CK Data Components
Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )WMI Creation (WMI)
Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Windows Registry Key Creation (Windows Registry)
Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)OS API Execution (Process)
Operating system function/method calls executed by a processScript Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Execution from Compressed JScript File
Snake Malware Encrypted crmlog file
DLP Evasion via Sensitive Data in VBA Macro over email
Obfuscated Command in PowerShell
Execution from Compressed File
Execute base64-encoded PowerShell from Windows Registry
Obfuscated Command Line using special Unicode characters
Decode base64 Data into Script
Execute base64-encoded PowerShell
DLP Evasion via Sensitive Data in VBA Macro over HTTP
Sigma Detections for this Technique
Invoke-Obfuscation Via Stdin - Powershell
Invoke-Obfuscation Via Stdin - PowerShell Module
Invoke-Obfuscation Via Use MSHTA - PowerShell
Invoke-Obfuscation Via Use Clip
Invoke-Obfuscation CLIP+ Launcher - System
Invoke-Obfuscation STDIN+ Launcher - Security
Invoke-Obfuscation Via Use Rundll32 - Security
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Potential PowerShell Obfuscation Via WCHAR
Invoke-Obfuscation CLIP+ Launcher - Security
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Renamed AutoIt Execution
Invoke-Obfuscation RUNDLL LAUNCHER - Security
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Password Protected ZIP File Opened (Suspicious Filenames)
Invoke-Obfuscation Via Use Clip - Security
PowerShell Base64 Encoded WMI Classes
Suspicious XOR Encoded PowerShell Command
Potential PowerShell Command Line Obfuscation
Invoke-Obfuscation RUNDLL LAUNCHER - System
Certificate Exported Via Certutil.EXE
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
Invoke-Obfuscation Via Use MSHTA - System
Suspicious Get-Variable.exe Creation
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Invoke-Obfuscation Via Use MSHTA - Security
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Invoke-Obfuscation Via Use Clip - System
Invoke-Obfuscation STDIN+ Launcher
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Decode Base64 Encoded Text
Potential Commandline Obfuscation Using Unicode Characters
Potential Encoded PowerShell Patterns In CommandLine
Suspicious File Downloaded From Direct IP Via Certutil.EXE
Suspicious Execution From GUID Like Folder Names
Invoke-Obfuscation VAR+ Launcher - PowerShell
Invoke-Obfuscation STDIN+ Launcher - System
Invoke-Obfuscation COMPRESS OBFUSCATION
Password Protected ZIP File Opened
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Invoke-Obfuscation Via Stdin
ConvertTo-SecureString Cmdlet Usage Via CommandLine
PowerShell Base64 Encoded Reflective Assembly Load
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - System
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Invoke-Obfuscation CLIP+ Launcher
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Invoke-Obfuscation Via Stdin - Security
Potential PowerShell Obfuscation Using Alias Cmdlets
Decode Base64 Encoded Text -MacOs
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Potential PowerShell Obfuscation Using Character Join
Password Protected ZIP File Opened (Email Attachment)
Invoke-Obfuscation Via Use Rundll32 - System
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
File Encoded To Base64 Via Certutil.EXE
File Decoded From Base64/Hex Via Certutil.EXE
Ping Hex IP
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Suspicious Download Via Certutil.EXE
Invoke-Obfuscation Via Use Clip - Powershell
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Invoke-Obfuscation VAR+ Launcher - System
PUA - Potential PE Metadata Tamper Using Rcedit
Invoke-Obfuscation STDIN+ Launcher - Powershell
Invoke-Obfuscation Via Use Clip - PowerShell Module
Invoke-Obfuscation Via Stdin - System
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Invoke-Obfuscation VAR+ Launcher - Security
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Suspicious File Encoded To Base64 Via Certutil.EXE
PowerShell Base64 Encoded Invoke Keyword
Invoke-Obfuscation Obfuscated IEX Invocation - System
Potential Winnti Dropper Activity
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Invoke-Obfuscation Via Use MSHTA
Suspicious SYSTEM User Process Creation
Base64 Encoded PowerShell Command Detected
Invoke-Obfuscation Obfuscated IEX Invocation
Invoke-Obfuscation VAR+ Launcher
Potential PowerShell Obfuscation Via Reversed Commands
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.