Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, Secure Boot | T1027 | Obfuscated Files or Information |
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system.
When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware.
Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code.
Secure Boot is able to address threats pre-os that change the signature of the loaded boot component.
References
|
| intel-tdt | Intel Threat Detection Technology | Microsoft Defender | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
Intel Threat Detection Technology (TDT), in combination with CrowdStrike's Accelerated Memory Scanning (CAMS), significantly enhances cybersecurity defenses by enabling the real-time detection of Obfuscated Files or Information (T1027). This integrated solution strengthens CrowdStrike Falcon by improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Obfuscated Files or Information (T1027) refers to adversaries using techniques to obfuscate their payloads, making it harder for traditional security measures to detect malicious code or data. Common obfuscation methods include packing, encryption, or using alternative encoding schemes to hide the true intent of the files. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, helping security teams detect abnormal behaviors such as suspicious attempts to decode or unpack files, or attempts to execute obfuscated code.
References
|
| intel-tdt | Intel Threat Detection Technology | Microsoft Defender | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
Intel Threat Detection Technology (TDT), in combination with CrowdStrike's Accelerated Memory Scanning (CAMS), significantly enhances cybersecurity defenses by enabling the real-time detection of Obfuscated Files or Information (T1027). This integrated solution strengthens CrowdStrike Falcon by improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Obfuscated Files or Information (T1027) refers to adversaries using techniques to obfuscate their payloads, making it harder for traditional security measures to detect malicious code or data. Common obfuscation methods include packing, encryption, or using alternative encoding schemes to hide the true intent of the files. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, helping security teams detect abnormal behaviors such as suspicious attempts to decode or unpack files, or attempts to execute obfuscated code.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1027.011 | Fileless Storage | 2 |
| T1027.009 | Embedded Payloads | 2 |
| T1027.013 | Encrypted/Encoded File | 2 |
| T1027.008 | Stripped Payloads | 2 |
| T1027.001 | Binary Padding | 2 |
| T1027.005 | Indicator Removal from Tools | 2 |
| T1027.003 | Steganography | 2 |
| T1027.004 | Compile After Delivery | 3 |
| T1027.010 | Command Obfuscation | 2 |
| T1027.002 | Software Packing | 3 |
| T1027.007 | Dynamic API Resolution | 2 |