Obfuscated Files or Information (T1027)

View on ATT&CK

In Playbook

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. Volexity PowerDuke November 2016
Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. GitHub Revoke-Obfuscation
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. FireEye Obfuscation June 2017
Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. FireEye Revoke-Obfuscation July 2017
Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. GitHub Office-Crackros Aug 2016
Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. Linux/Cdorked.A We Live Security Analysis
Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. Carbon Black Obfuscation Sept 2016
White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. PaloAlto EncodedCommand March 2017