Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).(Citation: SFX - Encrypted/Encoded File)
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement protects against Encrypted/Encoded File through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-03 | Malicious Code Protection | mitigates | T1027.013 | Encrypted/Encoded File |
Comments
Encrypted/encoded malware is designed to hide its true purpose from an observer, meaning that signature-based methods of detection may fail. Incorporating alternative detection methods as noted in control SI-03 can provide additional avenues to detect these obfuscated malware and protect against the damage they can cause.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1027.013 | Encrypted/Encoded File | |
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1027.013 | Encrypted/Encoded File |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1027.013 | Encrypted/Encoded File |
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.013 | Encrypted/Encoded File |
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1027.013 | Encrypted/Encoded File |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|