Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)
Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage)
For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021)
Embedded content may also be used as Process Injection payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.009 | Embedded Payloads |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement protects against Embedded Payloads through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-02 | Flaw Remediation | mitigates | T1027.009 | Embedded Payloads | |
| SI-03 | Malicious Code Protection | mitigates | T1027.009 | Embedded Payloads | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1027.009 | Embedded Payloads | |
| SI-04 | System Monitoring | mitigates | T1027.009 | Embedded Payloads |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1027.009 | Embedded Payloads |
Comments
This control can protect against embedded payloads.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.009 | Embedded Payloads |
Comments
This control can protect against embedded payloads.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1027.009 | Embedded Payloads |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads through DLP content inspection
References
|