[T1027.006 ] Obfuscated Files or Information: HTML Smuggling – HTML Smuggling hides malicious payloads inside seemingly benign HTML/JavaScript so files are reconstructed client-side and bypass content filters. Monitor for unusual use of Blobs, Data URLs, and download attributes to reduce risk. #HTMLSmuggling #DefenseEvasion
Category: MITRE
[T1027.005 ] Obfuscated Files or Information: Indicator Removal from Tools – Adversaries alter or strip identifiable indicators from their tools after detection to evade future defenses and continue operations undetected. This tactic reduces signature-based detections and increases the chances of successful reinfection or lateral movement. #ObfuscatedFiles #DefenseEvasion
[T1027.004 ] Obfuscated Files or Information: Compile After Delivery – Adversaries deliver source code or non-native binaries that must be compiled or assembled on the victim to evade detection and analysis. Watch for unexpected compiler use, cross-platform toolchains, and file creation patterns that indicate in-place compilation. #ObfuscatedFiles #CompileAfterDelivery
[T1027.003 ] Obfuscated Files or Information: Steganography – Steganography hides data inside innocuous media like images, audio, or video to evade detection and exfiltrate information. Adversaries embed commands, credentials, or encrypted payloads in files and transmit them to C2, making discovery harder than with overt malware. #Steganography #Detection
[T1027.002 ] Obfuscated Files or Information: Software Packing – Software packing compresses or encrypts executables to hide their original code and evade signature-based detection. Attackers use packers or custom VM-based protections to unpack or interpret code at runtime, often in memory, complicating static analysis and detection. #SoftwarePacking #DefenseEvasion
[T1027.001 ] Obfuscated Files or Information: Binary Padding – Binary padding is a defense-evasion technique where attackers append junk data or expand sections of a file to alter its on-disk representation, change checksums, and evade hash- and size-based detections; defenders should monitor file metadata, size anomalies, and process behavior to spot padded binaries. #BinaryPadding #DefenseEvasion
[T1027 ] Obfuscated Files or Information – Adversaries hide malicious code by encrypting, encoding, compressing, or otherwise transforming files and commands to avoid detection and analysis. This behavior spans platforms and delivery methods, often requiring user interaction or special handling to reveal the true payload. #Obfuscation #DefenseEvasion
[T1025 ] Data from Removable Media – Adversaries search and collect sensitive files from connected removable media (USB drives, optical discs, SD cards) on compromised hosts to gather data prior to exfiltration. Monitoring process activity, command-lines, and file-access patterns on endpoints helps detect this behavior. #DataFromRemovableMedia #RemovableMediaSecurity
[T1021.008 ] Remote Services: Direct Cloud VM Connections – Adversaries can use valid credentials or stolen keys to connect directly to cloud-hosted virtual machines using provider-native consoles and APIs, gaining interactive root or SYSTEM access to pivot and persist. Protecting cloud access paths and monitoring session activity are critical. #CloudSecurity #LateralMovement
[T1021.007 ] Remote Services: Cloud Services – Adversaries leverage federated or synchronized onβpremises identities to authenticate to cloud consoles and CLIs, allowing them to perform management actions and access cloud resources as legitimate users. Watch for unusual cloud logins, CLI commands, and token usage to detect misuse. #CloudSecurity #LateralMovement
[T1021.006 ] Remote Services: Windows Remote Management – WinRM lets attackers reuse valid credentials to remotely run commands, modify settings, and manage services on Windows hosts, enabling stealthy lateral movement across a network. Monitor WinRM usage and related processes and network connections to detect misuse. #WindowsRemoteManagement #WinRM
[T1021.005 ] Remote Services: VNC – VNC (Virtual Network Computing) enables remote screen sharing and control across platforms, and adversaries can abuse it with valid accounts to move laterally, execute commands, and exfiltrate data. Monitor connection patterns, authentication events, and post-login activity to spot misuse. #VNC #LateralMovement
[T1021.004 ] Remote Services: SSH – Summary: Adversaries use SSH to access remote systems with valid credentials or stolen keys, enabling stealthy lateral movement and remote command execution across Linux, macOS, and ESXi hosts. Monitor access patterns and post-login activity to distinguish legitimate use from abuse. #SSH #LateralMovement
[T1021.003 ] Remote Services: Distributed Component Object Model – DCOM lets software on one Windows machine invoke and control COM objects on another machine using RPC. Attackers with valid credentials can abuse DCOM to execute code, launch processes, or trigger Office-based payloads remotely, enabling stealthy lateral movement. #DCOM #LateralMovement
[T1021.002 ] Remote Services: SMB/Windows Admin Shares – Adversaries use SMB and hidden Windows admin shares to move laterally and perform remote file operations and execution as authenticated users. Monitor authenticated SMB activity, administrative share access, and anomalous remote execution to detect misuse. #SMB #LateralMovement