Keypoints
- Obfuscation hides payloads by encoding, encrypting, compressing, or splitting files to evade signature-based defenses.
- Attackers may require user action or a password to open protected archives, enabling social engineering during delivery.
- Command obfuscation uses environment variables, aliases, escaped characters, and language quirks to mask execution.
- Network-level detection can identify compressed/encrypted attachments but requires TLS inspection for HTTPS delivery.
- Logs like process creation, file metadata, and command-line arguments are critical for spotting obfuscation artifacts.
Description:
- Like a magician’s false bottom suitcase, obfuscation conceals the dangerous item inside harmless-looking layers until the trick is completed.
- Adversaries transform or hide code and files—by encoding, encrypting, compressing, splitting, or altering commands—to prevent discovery and analysis, enabling initial access, payload delivery, and later-stage actions while reducing the chance of detection.
Detection:
- Monitor process creation command lines (Sysmon, Windows Event ID 4688) for suspicious encoded parameters and uninterpreted escape characters such as ^ or “.
- Use file- and content-scanning tools to flag compressed, archived, or encrypted attachments at email gateways and proxies; enable sandbox detonation for nested archives.
- Deploy deobfuscation and decoding tools (Revoke-Obfuscation, Office-Crackros) to automatically analyze suspicious scripts and encoded command strings.
- Inspect file metadata and creation events for unusual write patterns, rapid file assembly, or multiple small files that may be reassembled into a payload.
- Enable TLS/SSL inspection on network devices to detect encrypted payload delivery from websites; pair with IDS signatures for packed/encoded payloads.
- Correlate alerts across AV, EDR, network IDS, and email scanners; treat an initial detection of obfuscated content as an indicator of potential broader activity and investigate later stages.
- Watch for frequent false positives from legitimate packers/cryptography; tune rules to focus on atypical contexts (unexpected spawn chains, uncommon encoders, mismatched parent/child processes) and document baseline application behaviors.
Tactics:
Defense Evasion
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Data Sources:
Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Relationship Citations:
(Citation: Microsoft Moonstone Sleet 2024),(Citation: Kaspersky TajMahal April 2019),(Citation: group-ib_redcurl1),(Citation: Arxiv Avaddon Feb 2021),(Citation: BlackBerry Amadey 2020),(Citation: Cybereason Bumblebee August 2022),(Citation: RedCanary RaspberryRobin 2022),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Cisco H1N1 Part 1),(Citation: Unit 42 OopsIE! Feb 2018),(Citation: FireEye Clandestine Wolf),(Citation: ESET Kobalos Feb 2021),(Citation: OilRig New Delivery Oct 2017),(Citation: ESET Turla PowerShell May 2019),(Citation: CarbonBlack Conti July 2020),(Citation: therecord_redcurl),(Citation: Securelist APT10 March 2021),(Citation: Fortinet LummaStealer 2024),(Citation: IBM StrelaStealer 2024),(Citation: SecureList SynAck Doppelg,�nging May 2018),(Citation: Palo Alto Brute Ratel July 2022),(Citation: ESET Ebury Feb 2014),(Citation: Unit 42 Valak July 2020),(Citation: Check Point Sunburst Teardrop December 2020),(Citation: CISA AppleJeus Feb 2021),(Citation: ClearSky Lazarus Aug 2020),(Citation: Unit 42 NOKKI Sept 2018),(Citation: Secureworks Karagany July 2019),(Citation: Palo Alto CVE-2015-3113 July 2015),(Citation: Symantec Trojan.Hydraq Jan 2010),(Citation: ASERT InnaputRAT April 2018),(Citation: TrendMicro EarthLusca 2022),(Citation: Morphisec ShellTea June 2019),(Citation: PaloAlto NanoCore Feb 2016),(Citation: QiAnXin APT-C-36 Feb2019),(Citation: ESET Gamaredon June 2020),(Citation: ESET RTM Feb 2017),(Citation: Proofpoint Bumblebee April 2022),(Citation: Secureworks DarkTortilla Aug 2022),(Citation: Malwarebytes AvosLocker Jul 2021),(Citation: FireEye APT28),(Citation: Sandfly BPFDoor 2022),(Citation: Microsoft FinFisher March 2018),(Citation: CISA AR21-126A FIVEHANDS May 2021),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: jRAT Symantec Aug 2018),(Citation: Checkpoint IndigoZebra July 2021),(Citation: FireEye POSHSPY April 2017),(Citation: Trend Micro Conficker),(Citation: Symantec Buckeye),(Citation: FireEye NETWIRE March 2019),(Citation: CrowdStrike Wizard Spider October 2020),(Citation: NSA/FBI Drovorub August 2020),(Citation: Cylance Shell Crew Feb 2017),(Citation: MDSec Brute Ratel August 2022),(Citation: Morphisec Snip3 May 2021),(Citation: MacKeeper Bundlore Apr 2019),(Citation: Kaspersky Lab SynAck May 2018),(Citation: Symantec Gallmaker Oct 2018),(Citation: MalwareBytes SideCopy Dec 2021),(Citation: Malwarebytes RokRAT VBA January 2021),(Citation: Secureworks MCMD July 2019),(Citation: Trend Micro Muddy Water March 2021),(Citation: Proofpoint Leviathan Oct 2017),(Citation: Fortinet Agent Tesla April 2018),(Citation: CrowdStrike SUNSPOT Implant January 2021),(Citation: DustySky),(Citation: Recorded Future REDDELTA July 2020),(Citation: CopyKittens Nov 2015),(Citation: Talos Remcos Aug 2018),(Citation: Unit 42 OilRig Sept 2018),(Citation: MSTIC Nobelium Toolset May 2021),(Citation: Medium Ali Salem Bumblebee April 2022),(Citation: Mandiant APT41),(Citation: ESET Dukes October 2019),(Citation: Cybereason Conti Jan 2021),(Citation: Cybereason Cobalt Kitty 2017),(Citation: BlackBerry CostaRicto November 2020),(Citation: CISA SoreFang July 2016),(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021),(Citation: Trend Micro Daserf Nov 2017),(Citation: Cybereason Valak May 2020),(Citation: Kaspersky Sofacy),(Citation: FireEye FiveHands April 2021),(Citation: Objective See Green Lambert for OSX Oct 2021),(Citation: Secureworks BRONZE PRESIDENT December 2019),(Citation: FOX-IT May 2016 Mofang),(Citation: Proofpoint TA416 November 2020),(Citation: Symantec Frutas Feb 2013),(Citation: Palo Alto Comnie),(Citation: Kaspersky ToddyCat June 2022),(Citation: Talos PoetRAT April 2020),(Citation: Microsoft Sliver 2022),(Citation: Unit 42 Siloscape Jun 2021),(Citation: ESET Carbon Mar 2017),(Citation: Palo Alto Shamoon Nov 2016),(Citation: ESET Industroyer),(Citation: Symantec FIN8 Jul 2023),(Citation: Talos Cobalt Strike September 2020),(Citation: Infoblox Lokibot January 2019),(Citation: Malwarebytes Kimsuky June 2021),(Citation: CoinTicker 2019),(Citation: Symantec Darkmoon Aug 2005),(Citation: Proofpoint TA416 Europe March 2022),(Citation: FireEye APT41 March 2020),(Citation: Threatpost Hancitor),(Citation: NCSC-NL COATHANGER Feb 2024),(Citation: Trellix Darkgate 2023),(Citation: Crowdstrike MUSTANG PANDA June 2018),(Citation: Talos Kimsuky Nov 2021),(Citation: Symantec Elderwood Sept 2012),(Citation: FireEye Fin8 May 2016),(Citation: ESET InvisiMole June 2018),(Citation: VirusBulletin Kimsuky October 2019),(Citation: Dell TG-3390),(Citation: Bitdefender APT28 Dec 2015),(Citation: Fortinet Diavol July 2021),(Citation: iSight Sandworm Oct 2014),(Citation: BlackBerry Bahamut),(Citation: Eset Ramsay May 2020),(Citation: SentinelOne Gootloader June 2021),(Citation: ESET ComRAT May 2020),(Citation: Cyberint Qakbot May 2021),(Citation: McAfee Cuba April 2021),(Citation: NCSC GCHQ Small Sieve Jan 2022),(Citation: S2 Grupo TrickBot June 2017),(Citation: SentinelOne Valak June 2020),(Citation: NTT Security Flagpro new December 2021),(Citation: ESET InvisiMole June 2020),(Citation: Group IB GrimAgent July 2021),(Citation: Palo Alto DNS Requests),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: HP SVCReady Jun 2022),(Citation: ThreatConnect Kimsuky September 2020),(Citation: Kaspersky Turla),(Citation: group-ib_redcurl2),(Citation: McAfee Maze March 2020),(Citation: Unit 42 CARROTBAT January 2020),(Citation: Unit 42 Nokki Oct 2018),(Citation: Accenture HyperStack October 2020),(Citation: CISA ComRAT Oct 2020),(Citation: FireEye Ransomware Feb 2020),(Citation: Malwarebytes Agent Tesla April 2020),(Citation: DCSO StrelaStealer 2022),(Citation: Cyberreason Anchor December 2019),(Citation: Microsoft NICKEL December 2021),(Citation: Securelist BlackOasis Oct 2017),(Citation: Volexity InkySquid RokRAT August 2021),(Citation: Trustwave Pillowmint June 2020),(Citation: Mandiant Pulse Secure Zero-Day April 2021),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: ESET Sednit Part 2),(Citation: Unit42 Redaman January 2019),(Citation: Microsoft PLATINUM April 2016),(Citation: ANSSI Sandworm January 2021),(Citation: Anomali Rocke March 2019),(Citation: ESET BackdoorDiplomacy Jun 2021),(Citation: Mandiant ROADSWEEP August 2022),(Citation: Sophos Gootloader),(Citation: Talos Group123),(Citation: Anomali MUSTANG PANDA October 2019),(Citation: Cybereason Soft Cell June 2019),(Citation: CISA EB Aug 2020),(Citation: Proofpoint TA505 October 2019),(Citation: Trend Micro DRBControl February 2020),(Citation: Unit 42 Kazuar May 2017),(Citation: Securelist ScarCruft May 2019),(Citation: Checkpoint Dridex Jan 2021),(Citation: FinFisher Citation),(Citation: Trend Micro KillDisk 1),(Citation: FireEye CARBANAK June 2017),(Citation: trendmicro_redcurl),(Citation: Securelist ShadowPad Aug 2017),(Citation: Mandiant Cutting Edge Part 2 January 2024),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: MoustachedBouncer ESET August 2023),(Citation: Microsoft AMSI June 2015),(Citation: win10_asr)
Read More: https://attack.mitre.org/techniques/T1027