Common Information
Type Value
Value
Obfuscated Files or Information - T1027
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017) Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) Detection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. Platforms: Linux, macOS, Windows Data Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection Defense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path Contributors: Red Canary, Christiaan Beek, @ChristiaanBeek
Details Published Attributes CTI Title
Details Website 2025-01-22 40 Dark Web Profile: OilRig (APT34) - SOCRadar® Cyber Intelligence Inc.
Details Website 2025-01-18 8 Analisis Malware RedLine777, AgentTesla, dan Amadey
Details Website 2025-01-17 14 ANDROID MALWARE IN DONOT APT OPERATIONS - CYFIRMA
Details Website 2025-01-16 15 Evading Endpoint Detection and Response (EDR)
Details Website 2025-01-07 26 Formbook Phishing Campaign: Stealth and Evasion Tactics Unveiled
Details Website 2024-12-31 49 Dark Web Profile: Gamaredon APT - SOCRadar® Cyber Intelligence Inc.
Details Website 2024-12-30 30 Redline Stealer: A Persistent Threat
Details Website 2024-12-27 80 Exposing the Steps of the Kimsuky APT Group
Details Website 2024-12-24 3 Static Analysis of the Infamous Akira Ransomware
Details Website 2024-12-23 19 Volt Typhoon Explained: Living Off the Land Tactics for Cyber Espionage
Details Website 2024-12-20 159 Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure
Details Website 2024-12-19 50 Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads
Details Website 2024-12-18 23 NotLockBit: A Deep Dive Into the New Ransomware Threat | Qualys Security Blog
Details Website 2024-12-16 14 UAC-0099 Attack Detection: Cyber-Espionage Activity Against Ukrainian State Agencies Using WinRAR Exploit and LONEPAGE Malware - SOC Prime
Details Website 2024-12-13 39 OilRig Exposed: Unveiling the Tools and Techniques of APT34
Details Website 2024-12-13 140 Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite — Elastic Security Labs
Details Website 2024-12-12 16 Dark Web Profile: Salt Typhoon - SOCRadar® Cyber Intelligence Inc.
Details Website 2024-12-12 35 Androxgh0st Malware: Unmasking the Silent Threat to Cloud and Web Security
Details Website 2024-12-10 146 AppLite: A New AntiDot Variant Targeting Mobile Employee Devices
Details Website 2024-12-10 148 AppLite: A New AntiDot Variant Targeting Mobile Employee Devices
Details Website 2024-12-09 23 Dark Web Profile: Ymir Ransomware - SOCRadar® Cyber Intelligence Inc.
Details Website 2024-12-07 11 Mapping Current Cyber Threats to the MITRE ATT&CK Framework: A Simple Guide
Details Website 2024-12-06 16 Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia - CYFIRMA
Details Website 2024-12-05 45 Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot
Details Website 2024-12-05 43 Threat Actor Targets Manufacturing Industry With Malware