# T1027 Obfuscated Files or Information

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. 

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 

## Technique Detection

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). 

Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) 

Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. 

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. 

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

### Defenses Bypassed:

  * Host Forensic Analysis

  * Signature-based Detection

  * Host Intrusion Prevention Systems

  * Application Control

  * Log Analysis

### Data Sources:

  * **Command:** Command Execution

  * **File:** File Creation

  * **File:** File Metadata

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has encoded commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has encrypted its binaries via AES.(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also encoded files using Base64.(Citation: Aqua TeamTNT August 2020)| 
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has obfuscated tools and malware it uses with VMProtect.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered initial payloads hidden using archives and encoding measures.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Proofpoint TA416 Europe March 2022)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used obfuscated variable names in a JavaScript configuration file.(Citation: Unit 42 Valak July 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used base64 encoding and ECDH-P256 encryption for scripts and files.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used encoded PowerShell commands.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has base64 encoded scripts and payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.(Citation: FoxIT Wocao December 2019)| 
| GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020)	| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used string encoding with floating point calculations.(Citation: BlackBerry Bahamut)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)| 
| Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019)	| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019)| 
| Mofang | [Mofang](https://attack.mitre.org/groups/G0103) has compressed the [ShimRat](https://attack.mitre.org/software/S0444) executable within malicious email attachments. [Mofang](https://attack.mitre.org/groups/G0103) has also encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) used Base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has run encoded commands from the command line.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)| 
| APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used ConfuserEx to obfuscate its variant of [Imminent Monitor](https://attack.mitre.org/software/S0434), compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019) [Kimsuky](https://attack.mitre.org/groups/G0094) has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [HTRAN](https://attack.mitre.org/software/S0040) in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.(Citation: Cybereason Soft Cell June 2019)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has password-protected malicious Word documents and used base64 encoded PowerShell commands.(Citation: Proofpoint TA505 Sep 2017)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silence Jan 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)| 
| Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) drops files with base64-encoded data.(Citation: McAfee Honeybee)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) used Base64 to obfuscate commands and the payload.(Citation: FireEye APT19)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) has obfuscated strings in [Bandook](https://attack.mitre.org/software/S0234) by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)| 
| Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) obfuscated scripts that were used on victim machines.(Citation: Symantec Leafminer July 2018)| 
| Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has obfuscated code using base64 and gzip compression.(Citation: Proofpoint Leviathan Oct 2017)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used environment variables and standard input (stdin) to obfuscate command-line arguments. [FIN8](https://attack.mitre.org/groups/G0061) also obfuscates malicious macros delivered as payloads.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021)| 
| BlackOasis | [BlackOasis](https://attack.mitre.org/groups/G0063)'s first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.(Citation: Securelist BlackOasis Oct 2017)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. [APT32](https://attack.mitre.org/groups/G0050) has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). [APT32](https://attack.mitre.org/groups/G0050) also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020)| 
| Group5 | [Group5](https://attack.mitre.org/groups/G0043) disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used Base64 encoding within malware variants. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: iSight Sandworm Oct 2014)(Citation: ESET Telebots Dec 2016)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for [Native API](https://attack.mitre.org/techniques/T1106) function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)| 
| Dust Storm | [Dust Storm](https://attack.mitre.org/groups/G0031) has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.(Citation: Cylance Dust Storm)| 
| Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool can encrypt payloads using XOR. [Threat Group-3390](https://attack.mitre.org/groups/G0027) malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)| 
| Putter Panda | Droppers used by [Putter Panda](https://attack.mitre.org/groups/G0024) use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.(Citation: CrowdStrike Putter Panda)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used encoded PowerShell commands.(Citation: FireEye APT29 Nov 2018)| 
| Night Dragon | A [Night Dragon](https://attack.mitre.org/groups/G0014) DLL included an XOR-encoded section.(Citation: McAfee Night Dragon)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used encryption (including salted 3DES via [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Out-EncryptedScript.ps1</code>), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.(Citation: ESET Turla PowerShell May 2019)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) encrypted a .dll payload using RTL and a custom encryption algorithm. [APT28](https://attack.mitre.org/groups/G0007) has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used Base64-encoded shellcode strings.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1027)

  * [Volexity Powerduke November 2016](https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/), Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

  * [Github Revoke-Obfuscation](https://github.com/danielbohannon/Revoke-Obfuscation), Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.

  * [Fireeye Obfuscation June 2017](https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html), Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.

  * [Fireeye Revoke-Obfuscation July 2017](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf), Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.

  * [Github Office-Crackros Aug 2016](https://github.com/itsreallynick/office-crackros), Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.

  * [Linux/Cdorked.A We Live Security Analysis](https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/), Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.

  * [Carbon Black Obfuscation Sept 2016](https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/), Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.

  * [Paloalto Encodedcommand March 2017](https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/), White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.

  * [Capec](https://capec.mitre.org/data/definitions/267.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 6 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis
- APTs may attempt to obfuscate files during initial access to avoid detection by intrusion detection systems or email gateways.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | X | X |
| APT29 | X | X |
| Turla | X | X |

#### APT28	
- Has encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.
- Identifying compressed files or scripts will narrow the scope of APT 28 attempting to evade detection. 
  - Attention to content type will assist during investigations.

#### APT29 
- has been observed utilizing PowerShell for Base64 obfuscation and weaponizing Windows shortcut files. 

#### Turla 
- has been observed using encryption (including salted 3DES via PowerSploit’s Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.
- may obfuscate their code/payloads by use of random variable names, and base64 encoding.
- has been known to use Uroburos which it's waitwain64.ds file and the internal database that stores configuration information are encrypted using CAST-128 cipher block chaining (CBC) encryption.
- The adversary may attempt to deploy a second stage backdoor (Ex. Gazer) in order to maintain access to the network for tool removal.
- Command and Control communications (specifically GET Requests) could potentially identify the adversary's location and objective. 

## Detection Blindspots
- The stage of intrusion may determine what can be analyzed or observed.
- Encrypted traffic may not allow for full analysis of payload.
- Sensor placement (Tap/Span) may not allow for detection of this TTP.

## Analytical References

  * [ESET Gazer](https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf)
  * [Uroburos: The Snake Rootkit](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf)
  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [How to use regex and wildcard queries - elasticsearch (objectrocket)](https://kb.objectrocket.com/elasticsearch/how-to-use-regexp-and-wildcard-queries-to-return-documents-with-a-partial-string-match)
  * [Query DSL regex (elastic)](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/query-dsl-regexp-query.html)
  * [Acecenture - Cyber Advisory on SNAKEMACKEREL](https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50)
  * [Cyber Conflict Decoy Document 2017 (talosintelligence)](https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html)
  * [Sofacy Groups Parallel Attacks (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/)
  * [In-Depth Analysis of APT28 Political Espionage (bitdefender)](https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes
- Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system.

- The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

More Information on Gazer:

- Second stage backdoor
- Build similarities with previously used backdoors (Carbon & Kazuar)
- Use their own library for 3DES and RSA

Gazer Architecture:

<p align="center">
<img src="../../Images/T1027_Obfuscated_FIles_Information.PNG">
</p>

#### Analytic 1

  * **Information:** Check for uninterpreted escape characters in command-line arguments

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. 

  * **Query Pseudo:** ```(Event_ID:1 OR Event_ID:4688) AND (command.line:"'^'" OR command.line:"'"'")```

#### Analytic 2

  * **Information:** Adversaries may use these processes to set variable names that can be obfuscated to execute more malicious material.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** One technique has been reported by FireEye where and adversary will concatenate commands and set them to variables (set x=wsc@ript) and then execute them by removing the obfuscated cmd (echo %x:@=%|cmd)

  * **Query Pseudo:** ```Process.name : set.exe or setx.exe```
  
  
#### Analytic 3

  * **Information:** Look for powershell encoded commands or iex (invoke-expression) instances.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query Pseudo:** ```process.name : powershell.exe AND process.command.line : *-EncodedCommand* or *iex* or *Base64String* or *Out-EncryptedScript.ps1```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Initial detection should be treated as an indication of a potentially more invasive intrusion.

- Coordinate with Intel to assist in identifying any IOCs the may relate to this TTP and your threat actor.

- If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system)

- Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments.

- The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

* **C2 Server Communications:**
    * The malware communicates with its C&C server to retrieve tasks (through HTTP GET requests) and to send the tasks results (through HTTP POST requests)
    * Before sending a request to the C&C, the command CMC_GIVE_SETTINGS is sent to the orchestrator through its communication channel (a named pipe, more on this in the next section). The message (MSG) contained in the packet in this case is a single byte set by the orchestrator for the command result status
    * The orchestrator replies on the same channel with the settings retrieved from the working directory with the object id, the list of the C&C servers and the last connection date
    * A GET request is performed to retrieve a task from the C&C
    * The parameters of the GET request are chosen from amongst a hardcoded list of keywords that does not look suspicious. Their values are generated randomly in the charset [a-z0-9] with a random size from a range given for each parameter:
    * id [6-12] (As with all other parameters, if this parameter is used in the request, it will have a random value (of letters and digits) with a random size between 6 and 12 characters)

**C2 GET parameters**

| Value | Value | Value|
|-------|-------|------|
| hash [10-15] | member [6-12] |  session [10-15] |
| partners [5-10] | photo [6-10] | adm [6-12] |
| video [6-10] | author [6-12] | album [6-10] |
| contact [6-12] | client [5-10] | content [6-12] |
| key [5-10] | user [6-12] | account [6-12] |



**Example of a GET Request**
      

`xxx.php?album=2ildzq&key=hdr2a&partners=d2lic33f&session=nurvxd2x0z8bztz&video =sg508tujm&photo=4d4idgkxxx.php?photo=he29zms5fc&user=hvbc2a&author=xvfj5r0q9c&client=7mvvc&partners=t4mgmuy&adm=lo3r6v4xxx.php?member=ectwzo820&contact=2qwi15&album=f1qzoxuef4&session=x0z8bztz8hrs65f&id=t3x0ftu9xxx.php?partners=ha9hz9sn12&hash=5740kptk3acmu&album=uef4nm5d&session=dpeb67ip65f&member=arj6x3ljjxxx.php?video=nfqsz570&client=28c7lu2&partners=818eguh70&contact=ibj3xch &content=1udm9t799ixr&session=5fjjt61qred9uo`

- Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.


#### Analytic 1

  * **Information:** Identify compessed files and/or scripts

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Adding entropy level to your search will assist or add additional certainty in identifying this technique

  * **Arkime Query:** `http.bodymagic == application/x-gzip<modify as needed> && entropy.http == <range 0-8>`
  
  * **Arkime Query:** `http.content-type ==  EXISTS!<modify as needed> && entropy.http == <range 0-8>`
  

#### Analytic 2

  * **Information:** Identify GET requests containing randomly generated character sets

  * **Source:** PCAP

  * **Tool:** Kibana

  * **Notes:** Using regex will assist in hunting this technique

  * **Kibana Query:** `http.method: "GET"`

