Description
Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Platforms
Sub-Techniques (3)
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used obfuscated VBScripts with randomly generated variable names and concatenated strings... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) encrypts the payload of HTTP POST communications using the same XOR key used for the malware'... |
| S0439 | Okrum | Malware | Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Ci... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has encoded with XOR and encrypted with RC4 its beacon.(Citation: Lumen_SystemBC_Sept2025) |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has hashed a string containing system information prior to exfiltration via POST requests.(Ci... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests.(Citation:... |
| S0682 | TrailBlazer | Malware | [TrailBlazer](https://attack.mitre.org/software/S0682) can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.(Citation: Crowd... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can send compressed and obfuscated packets to C2.(Citation: Bitdefender FunnyDream Campaign Nove... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) will retrieved encrypted commands from its command and control server for follow-on actions such a... |
| S1120 | FRAMESTING | Malware | [FRAMESTING](https://attack.mitre.org/software/S1120) can send and receive zlib compressed data within `POST` requests.(Citation: Mandiant Cutting Edg... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can modify the Origin and Referrer fields in HTTPS headers it relays between intended victims and... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.(Cita... |
| S0381 | FlawedAmmyy | Malware | [FlawedAmmyy](https://attack.mitre.org/software/S0381) may obfuscate portions of the initial C2 handshake.(Citation: Proofpoint TA505 Mar 2018) |
| S0610 | SideTwist | Malware | [SideTwist](https://attack.mitre.org/software/S0610) can embed C2 responses in the source code of a fake Flickr webpage.(Citation: Check Point APT34 A... |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Frequently Asked Questions
What is T1001 (Data Obfuscation)?
T1001 is a MITRE ATT&CK technique named 'Data Obfuscation'. It belongs to the Command and Control tactic(s). Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (...
How can T1001 be detected?
Detection of T1001 (Data Obfuscation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1001?
There are 1 documented mitigations for T1001. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1001?
Known threat groups using T1001 include: Gamaredon Group.