# T1001 Data Obfuscation

-----------------------------------------------------------------------

## Technique Description

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. 

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has encrypted IP addresses used for "Agent" proxy hops with RC4.(Citation: FoxIT Wocao December 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1001)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will obfuscate command and control traffic to make it more difficult to detect.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| |  | |

#### APT28	
- APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.
- Downdelph (downloader used by APT28) inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.

#### APT29	
- APT29 has used steganography to hide C2 communications in images.
- HAMMERTOSS (backdoor used by APT29) is controlled via commands that are appended to image files.
- WellMess (malware used by APT29) can use junk data in the Base64 string for additional obfuscation.

#### Turla	
- LightNeuron (backdoor used by Turla) is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.

## Detection Blindspots

- As part of C2, data obfuscated will be sent over the network. Hence, this analytic may be more easily and more fully detected by a Network Analyst.

## Analytical References

  * [RPT-APT28 (fireeye)](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [ESET Sednit Part3 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf)
  * [ESET Operation Ghost Dukes (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf)
  * [RPT-APT29 Hammertoss (fireeye)](https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf)
  * [Analysis report (cisa)](https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b)
  * [ESET LightNeuron (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

#### Analytic 1

  * **Information:** Check PowerShell script block for evidence of data being obfuscated

  * **Source:** Windows Audit

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 4104```

#### Analytic 2

  * **Information:** Search for processes that should not be using the network

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Least frequency analysis

  * **Query:** ```event.code : 3 and process.name : *```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
