Description
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
Platforms
Sub-Techniques (18)
Binary Padding
T1027.002Software Packing
T1027.003Steganography
T1027.004Compile After Delivery
T1027.005Indicator Removal from Tools
T1027.006HTML Smuggling
T1027.007Dynamic API Resolution
T1027.008Stripped Payloads
T1027.009Embedded Payloads
T1027.010Command Obfuscation
T1027.011Fileless Storage
T1027.012LNK Icon Smuggling
T1027.013Encrypted/Encoded File
T1027.014Polymorphic Code
T1027.015Compression
T1027.016Junk Code Insertion
T1027.017SVG Smuggling
T1027.018Invisible Unicode
Mitigations (4)
AuditM1047
Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.
Behavior Prevention on EndpointM1040
On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. (Citation: win10_asr)
User TrainingM1017
Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. (Citation: Microsoft AMSI June 2015)
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has obfuscated tools and malware it uses with VMProtect.(Citation: ESET BackdoorDiplomacy J... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used malware with string encryption.(Citation: therecord_redcurl) [RedCurl](https://attack.mitre.... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [HTRAN](https://attack.mitre.org/software/S0040) in which they obfuscated ... |
| G0084 | Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018) |
| G0063 | BlackOasis | [BlackOasis](https://attack.mitre.org/groups/G0063)'s first stage shellcode contains a NOP sled with alternative instructions that was likely designed... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye) |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used string encoding with floating point calculations.(Citation: BlackBerry Bahamut) |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used Base64-encoded shellcode strings.(Citation: Microsoft NICKEL December 2021) |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Cit... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: Thre... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) delivers encrypted payloads in pieces that are then combined together to form a new portable ... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered initial payloads hidden using archives and encoding measures.(Citation: Anomali M... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used Base64 encoding within malware variants.(Citation: iSight Sandworm Oct 2014) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments.(Citatio... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020) |
Associated Software (138)
| ID | Name | Type | Context |
|---|---|---|---|
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized double-base64 encoding to store stolen secrets within the Github Action Logs within... |
| S0633 | Sliver | Tool | [Sliver](https://attack.mitre.org/software/S0633) obfuscates configuration and other static files using native Go libraries such as `garble` and `gobf... |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) can use anti-disassembly and code transformation obfuscation techniques.(Citation: CrowdStrike Wizard ... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.(Citation: Securewor... |
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) has obfuscated strings with base64 encoding.(Citation: Infoblox Lokibot January 2019) |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) can encrypt victim data with an RC4 cipher.(Citation: HP SVCReady Jun 2022) |
| S0393 | PowerStallion | Malware | [PowerStallion](https://attack.mitre.org/software/S0393) uses a XOR cipher to encrypt command output written to its OneDrive C2 server.(Citation: ESET... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has utilized Go libraries to include Garble to obfuscate code.(Citation: Picus Security BRICKSTO... |
| S0242 | SynAck | Malware | [SynAck](https://attack.mitre.org/software/S0242) payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.(Citatio... |
| S1025 | Amadey | Malware | [Amadey](https://attack.mitre.org/software/S1025) has obfuscated strings such as antivirus vendor names, domains, files, and others.(Citation: BlackBe... |
| S0518 | PolyglotDuke | Malware | [PolyglotDuke](https://attack.mitre.org/software/S0518) can custom encrypt strings.(Citation: ESET Dukes October 2019) |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use a custom Base64 alphabet to encode an API decryption key.(Citation: Mandiant ROADSWEEP... |
| S9033 | Fooder | Malware | [Fooder](https://attack.mitre.org/software/S9033) has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified ... |
| S0197 | PUNCHTRACK | Malware | [PUNCHTRACK](https://attack.mitre.org/software/S0197) is loaded and executed by a highly obfuscated launcher.(Citation: FireEye Fin8 May 2016) |
| S0593 | ECCENTRICBANDWAGON | Malware | [ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) has encrypted strings with RC4.(Citation: CISA EB Aug 2020) |
| S0502 | Drovorub | Malware | [Drovorub](https://attack.mitre.org/software/S0502) has used XOR encrypted payloads in WebSocket client to server messages.(Citation: NSA/FBI Drovorub... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)(Citati... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed in ISO archives.(Citation: DCSO StrelaStealer 2022) [StrelaStealer](http... |
| S0012 | PoisonIvy | Malware | [PoisonIvy](https://attack.mitre.org/software/S0012) hides any strings related to its own indicators of compromise.(Citation: Symantec Darkmoon Aug 20... |
| S0594 | Out1 | Tool | [Out1](https://attack.mitre.org/software/S0594) has the ability to encode data.(Citation: Trend Micro Muddy Water March 2021) |
References
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024.
- Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
- Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
- White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
Frequently Asked Questions
What is T1027 (Obfuscated Files or Information)?
T1027 is a MITRE ATT&CK technique named 'Obfuscated Files or Information'. It belongs to the Stealth tactic(s). Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavi...
How can T1027 be detected?
Detection of T1027 (Obfuscated Files or Information) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027?
There are 4 documented mitigations for T1027. Key mitigations include: Audit, Behavior Prevention on Endpoint, User Training, Antivirus/Antimalware.
Which threat groups use T1027?
Known threat groups using T1027 include: BackdoorDiplomacy, RedCurl, Rocke, GALLIUM, Gallmaker, BlackOasis, APT3, APT-C-36.