MITRE ATT&CK Tactic(s): Defense Evasion
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
Last accessed: May 23, 2022
Total ATT&CK-mapped resources: 2328
ATT&CK-mapped resources for this (sub)technique: 7
Resources mapped to this (sub)technique can be viewed on this page (see also the ATT&CK to D3FEND Mapper tool):
- Emulated File Analysis
- Dynamic Analysis
- Local File Permissions
- Executable Allowlisting
- Decoy File
- Executable Denylisting
- File Analysis
Last accessed: August 09, 2022
Total ATT&CK-mapped rules: 641
ATT&CK-mapped resources for this (sub)technique: 4
Resources mapped to this (sub)technique can be located in the following files within the repository's rules folder:
- PowerShell Suspicious Payload Encoded and Compressed)**
- Base64 Encoding/Decoding Activity)**
- Hex Encoding/Decoding Activity)**
Last accessed: August 09, 2022
Total ATT&CK-mapped rules: 450
ATT&CK-mapped resources for this (sub)technique: 5
Resources mapped to this (sub)technique can be located in the following files within the repository's Detections folder:
- ASimProcess / Base64 encoded Windows process command-lines (Normalized Process Events)
- SecurityEvent / Base64 encoded Windows process command-lines
- SecurityEvent / Process executed from binary hidden in Base64 encoded file
- SecurityEvent / NRT Base64 encoded Windows process command-lines
- SecurityEvent / NRT Process executed from binary hidden in Base64 encoded file
Last accessed: August 09, 2022
Total ATT&CK-mapped rules: 2578
ATT&CK-mapped resources for this (sub)technique: 81
Resources mapped to this (sub)technique can be located in the following files within the repository's rules folder:
- linux / process_creation / Decode Base64 Encoded Text
- macos / process_creation / Decode Base64 Encoded Text
- windows / builtin / security / Operation Wocao Activity
- windows / builtin / security / Invoke-Obfuscation CLIP+ Launcher
- windows / builtin / security / Invoke-Obfuscation Obfuscated IEX Invocation
- windows / builtin / security / Invoke-Obfuscation STDIN+ Launcher
- windows / builtin / security / Invoke-Obfuscation VAR+ Launcher
- windows / builtin / security / Invoke-Obfuscation COMPRESS OBFUSCATION
- windows / builtin / security / Invoke-Obfuscation RUNDLL LAUNCHER
- windows / builtin / security / Invoke-Obfuscation Via Stdin
- windows / builtin / security / Invoke-Obfuscation Via Use Clip
- windows / builtin / security / Invoke-Obfuscation Via Use MSHTA
- windows / builtin / security / Invoke-Obfuscation Via Use Rundll32
- windows / builtin / security / Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- windows / builtin / system / Invoke-Obfuscation CLIP+ Launcher
- windows / builtin / system / Invoke-Obfuscation Obfuscated IEX Invocation
- windows / builtin / system / Invoke-Obfuscation STDIN+ Launcher
- windows / builtin / system / Invoke-Obfuscation VAR+ Launcher
- windows / builtin / system / Invoke-Obfuscation COMPRESS OBFUSCATION
- windows / builtin / system / Invoke-Obfuscation RUNDLL LAUNCHER
- windows / builtin / system / Invoke-Obfuscation Via Stdin
- windows / builtin / system / Invoke-Obfuscation Via Use Clip
- windows / builtin / system / Invoke-Obfuscation Via Use MSHTA
- windows / builtin / system / Invoke-Obfuscation Via Use Rundll32
- windows / builtin / system / Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- windows / builtin / system / New Service Uses Double Ampersand in Path
- windows / file_event / RedMimicry Winnti Playbook Dropped File
- windows / file_event / Suspicious Get-Variable.exe Creation
- windows / powershell / powershell_module / Invoke-Obfuscation CLIP+ Launcher
- windows / powershell / powershell_module / Invoke-Obfuscation Obfuscated IEX Invocation
- windows / powershell / powershell_module / Invoke-Obfuscation STDIN+ Launcher
- windows / powershell / powershell_module / Invoke-Obfuscation VAR+ Launcher
- windows / powershell / powershell_module / Invoke-Obfuscation COMPRESS OBFUSCATION
- windows / powershell / powershell_module / Invoke-Obfuscation RUNDLL LAUNCHER
- windows / powershell / powershell_module / Invoke-Obfuscation Via Stdin
- windows / powershell / powershell_module / Invoke-Obfuscation Via Use Clip
- windows / powershell / powershell_module / Invoke-Obfuscation Via Use MSHTA
- windows / powershell / powershell_module / Invoke-Obfuscation Via Use Rundll32
- windows / powershell / powershell_module / Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- windows / powershell / powershell_script / Invoke-Obfuscation CLIP+ Launcher
- windows / powershell / powershell_script / Invoke-Obfuscation Obfuscated IEX Invocation
- windows / powershell / powershell_script / Invoke-Obfuscation STDIN+ Launcher
- windows / powershell / powershell_script / Invoke-Obfuscation VAR+ Launcher
- windows / powershell / powershell_script / Invoke-Obfuscation COMPRESS OBFUSCATION
- windows / powershell / powershell_script / Invoke-Obfuscation RUNDLL LAUNCHER
- windows / powershell / powershell_script / Invoke-Obfuscation Via Stdin
- windows / powershell / powershell_script / Invoke-Obfuscation Via Use Clip
- windows / powershell / powershell_script / Invoke-Obfuscation Via Use MSHTA
- windows / powershell / powershell_script / Invoke-Obfuscation Via Use Rundll32
- windows / powershell / powershell_script / Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- windows / process_creation / Turla Group Commands May 2020
- windows / process_creation / Operation Wocao Activity
- windows / process_creation / Malicious Base64 Encoded Powershell Invoke Cmdlets
- windows / process_creation / Base64 Encoded Listing of Shadowcopy
- windows / process_creation / Base64 Encoded Reflective Assembly Load
- windows / process_creation / Invoke-Obfuscation CLIP+ Launcher
- windows / process_creation / Invoke-Obfuscation Obfuscated IEX Invocation
- windows / process_creation / Invoke-Obfuscation STDIN+ Launcher
- windows / process_creation / Invoke-Obfuscation VAR+ Launcher
- windows / process_creation / Invoke-Obfuscation COMPRESS OBFUSCATION
- windows / process_creation / Invoke-Obfuscation RUNDLL LAUNCHER
- windows / process_creation / Invoke-Obfuscation Via Stdin
- windows / process_creation / Invoke-Obfuscation Via Use Clip
- windows / process_creation / Invoke-Obfuscation Via Use MSHTA
- windows / process_creation / Invoke-Obfuscation Via Use Rundll32
- windows / process_creation / Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- windows / process_creation / Emotet Process Creation
- windows / process_creation / PowerShell Base64 Encoded Shellcode
- windows / process_creation / Encoded PowerShell Command Line Usage of ConvertTo-SecureString
- windows / process_creation / Suspicious PowerShell Cmdline
- windows / process_creation / Suspicious PowerShell Command Line
- windows / process_creation / Encoded PowerShell Command Line
- windows / process_creation / Suspicious Encoded PowerShell Command Line
- windows / process_creation / FromBase64String Command Line
- windows / process_creation / Suspicious XOR Encoded PowerShell Command Line
- windows / process_creation / Suspicious Base64 Encoded Powershell Invoke
- windows / process_creation / Suspicious Encoded Obfuscated LOAD String
- windows / process_creation / Certutil Encode
- windows / process_creation / Obfuscated Command Line Using Special Unicode Characters
- windows / process_creation / Ping Hex IP
- windows / process_creation / PowerShell Encoded Character Syntax
Last accessed: August 09, 2022
Total ATT&CK-mapped rules: 1624
ATT&CK-mapped resources for this (sub)technique: 8
Resources mapped to this (sub)technique can be located in the following files within the repository's detections folder:
- endpoint / CSC Net On The Fly Compilation
- endpoint / Linux Decode Base64 to Shell
- endpoint / Linux Obfuscated Files or Information Base64 Decode
- endpoint / Malicious PowerShell Process - Encoded Command
- endpoint / Powershell Creating Thread Mutex
- endpoint / Powershell Enable SMB1Protocol Feature
- endpoint / Powershell Fileless Script Contains Base64 Encoded Content
- endpoint / Wermgr Process Create Executable File
Last accessed: August 10, 2022
Total ATT&CK-mapped tests: 1341
ATT&CK-mapped resources for this (sub)technique: 8
The following unit tests mapped to this (sub)technique can be located in the file here:
- Decode base64 Data into Script
- Execute base64-encoded PowerShell
- Execute base64-encoded PowerShell from Windows Registry
- Execution from Compressed File
- DLP Evasion via Sensitive Data in VBA Macro over email
- DLP Evasion via Sensitive Data in VBA Macro over HTTP
- Obfuscated Command in PowerShell
- Obfuscated Command Line using special Unicode characters