T1027: Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.

Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_And_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-194: Csc_AWL_Bypass: An attempt to bypass application-start restrictions by using csc.exe (a built-in Microsoft Windows utility used by .NET to compile C# code)

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0005Data source and componentWMI: WMI CreationDescription

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

IDDS0022Data source and componentFile: File CreationDescription

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

IDDS0011Data source and componentModule: Module LoadDescription

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.

IDDS0022Data source and componentFile: File MetadataDescription

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Mitigation

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads.

IDM1049NameAntivirus/AntimalwareDescription

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.

IDM1047NameAuditDescription

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

IDM1017NameUser TrainingDescription

Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.