Technique T1027

Obfuscated Files or Information

Obfuscation and encoding empowers adversaries to perform malicious actions that, if executed in plaintext, would be trivial to prevent, detect, or otherwise mitigate.

Pairs with this song

#7

Overall rank

32.8%

Organizations affected

1341

Confirmed threats

Analysis

Why do adversaries use Obfuscated Files or Information?

Adversaries employ obfuscation to evade simple, signature-based detections and to impede analysis. Since obfuscation can be used by software and IT staff in the regular course of business, analysts investigating potentially malicious obfuscation are often left to wonder if what they are seeing reflects a legitimate business use or something nefarious. However, some obfuscation techniques are so focused on fooling machines that they disproportionately draw human attention.

If you consider the conspicuousness of the alternative—performing clearly malicious actions in plain sight—it makes complete sense that adversaries would take the time and effort to encrypt, encode, or otherwise obfuscate files or information that, in plaintext form, would be trivial to detect, block, and/or mitigate.

How do adversaries use Obfuscated Files or Information?

Obfuscation comes in many forms. In this section we will attempt to enumerate and briefly describe the obfuscation techniques that we observe most often across the environments we monitor.

Base64 encoding

Base64 encoding is the variety of obfuscation that we encounter most frequently. It enables binary data to transit text-only pathways and eliminates issues around string quoting and the need to escape special characters. Administrators and developers use Base64 encoding to pass scripts to subprocesses or remote systems, as well as to conceal sensitive information. These same benefits appeal to adversaries.

Nearly all of the 1,300 detections involving obfuscation we observed last year used Base64 encoding in conjunction with PowerShell. The following is an example of PowerShell combined with Base64 encoding from an activity cluster we named Yellow Cockatoo. This example combines multiple types of obfuscation beyond just Base64, including XOR obfuscation.

String concatenation

String concatenation is the second-most-common obfuscation variant Red Canary observed in 2020. Adversaries use string concatenation for the same reasons they use Base64 encoding: to hide malicious strings from automated detections that rely on overly exacting signatures and to confound analysts. String concatenation comes in many forms, such as:

  • The + operator can be used to combine string values
  • The -join operator combines characters, strings, bytes, and other elements using a specified delimiter character
  • Since PowerShell has access to .NET method, it can use the [System.String]::Join() method, which also combines characters like the -join operator
  • String interpolation allows adversaries to set values such that u can equal util.exe and cert%u% then executes as certutil.exe, effectively evading certain signature-based controls

Since interpolation is nuanced, we’ve included the following image of commands used by TA551 as an illustrative example of what is described in the last bullet above. drop.tmp is the DLL installer for the follow-on IcedID payload.

Substrings

Our next most common flavor of obfuscation involves the use of substrings. Take the following as an example of how an adversary might leverage a substring:

$ENV:pubLic[13]+$env:PublIc[5]+’x’.

The plus signs here are string concatenation, which we’ve addressed. Looking on either side of the plus sign, we see a substring that will cause PowerShell to combine the 14th and sixth characters (remember, the first element of an array starts at 0) from the Public environment variable. On most systems, the public environmental variable will be C:\Users\Public. You can do the counting, but the resulting substring is ie. The + operator then adds an x on the end, resulting in an Invoke-Expression cmdlet that will execute whatever code is passed to it. If you had robust coverage looking for the execution of PowerShell with an Invoke-Expression in the command line, then you might miss this behavior.

The following command line used by Cobalt Strike offers a clear example of why an adversary might use a substring. Here the adversary is replacing a !, which is not a valid member of PowerShell’s Base64 character set, with an empty string. The result could help adversaries circumvent detection controls designed to alert on Base64 encoding.

Escape characters

Some obfuscation techniques are so focused on fooling machines that they disproportionately draw attention. PowerShell and the Windows Command Shell both have escape characters (i.e., ` or `\`, depending on the context, and `^`, respectively) for situations where users may want to prevent special characters from being interpreted by the command shell or PowerShell interpreter. Take the following string, which is copied from the string concatenation image above:

/u^r^l^c^a^c^h^e^ /f^

Examined in context, you can see that it contains two command-line options for certutil.exe: /urlcache and /f. The carets here are escape characters that serve no purpose except to protect this string against potential signature matches.

We see the DOS escape character used frequently in attacks in the manner above. PowerShell escape characters are also used, but more conservatively.

For more on this topic, take a look at the work of Daniel Bohannon, who has produced tools, whitepapers, and conference talks on the subjects of PowerShell and Windows Command Shell obfuscation.

Definition

Detection

Collection requirements

Windows Event Logs

Windows Security Event Log ID 4688 with command-line argument capture enabled is a great source of data for observing and detecting malicious use of obfuscation. However, so too are Sysmon and endpoint detection and response (EDR) tools, most of which will collect data that is integral to analyzing Obfuscated Files or Information: process execution and command lines.

Process and command-line monitoring

Obfuscation is often initiated by cmd.exe and powershell.exe commands. In order to gain visibility into the malicious use of obfuscation, you will need to monitor for the execution of certain processes in tandem with command-line parameters. Generally, you’ll want to watch out for execution of cmd.exe and powershell.exe with command-line parameters that are suggestive of suspicious obfuscation.

Detection opportunities

While the analysis section covered many variations of obfuscation, we’ll focus our detection suggestions on just those we observe with a degree of regularity.

Base64

Developing robust coverage for all the possible invocations of Base64 can be challenging. In general, it’s better to build detections around behaviors than patterns, but there is a place for both.

If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the execution of processes like powershell.exe or cmd.exe along with command lines containing parameters like ToBase64String and FromBase64String.

Other encoding

Use of the -EncodedCommand PowerShell switch represents the most common form of obfuscation that we detect across the environments we monitor. Consider alerts for the execution of powershell.exe in tandem with any variation on the encoded command switch (e.g., -e, -ec,-encodedcommand,-encoded,-enc, -en, -encod, -enco, -encodedco, -encodedc, and -en^c).

Escape characters

Consider alerting on command lines containing excessive use of characters associated with obfuscation, like ^, = , % , ! , [ , (, ;. This FireEye blog post, code, and whitepaper offer excellent, detailed, actionable guidance on obfuscation detection strategies.

Weeding out false positives

Seeing as how this method is used by adversaries and administrative tasks alike, obfuscated files are prone to false positives. The best way to prevent false positive alerts on this type of behavior is to not depend on it as a sole indicator of malicious activity. Organizations should explore enabling PowerShell logging and execution policy restrictions set via GPO, which can’t be overridden at the command line, and enable enforcement of signed script execution and constrained runspaces.

Decoding the obfuscated information to determine its use and analyzing surrounding activities and behaviors will also reduce the false positive rate. Ask yourself:

  • What is the parent process? Is it a trusted source or common in the environment?
  • What child processes exist? Is the behavior they perform expected or non-threatening?
  • What sibling-processes are present? Are they benign in nature?

Testing

Getting Started With Atomic Red Team

Start testing your defenses against Obfuscated Files or Information using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View atomic tests for T1027: Obfuscated Files or Information. In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using PowerShell:
$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

What to expect

The above is an obfuscated version of the following PowerShell command built with Invoke-Obfuscation:

Write-Host 'Hello, from PowerShell!'
Useful telemetry will include:
Data sourceTelemetry
Data source:

Process monitoring

Telemetry:

A powershell.exe process will start.

Data source:

Process command-line parameters

Telemetry:

Command-line logging will capture the context of what is executed.

Data source:

PowerShell logs / Windows event logs

Telemetry:

PowerShell ScriptBlock Logging will capture the decoded PowerShell contents via Microsoft-Windows-PowerShell/Operational Event ID 4104

Data source:

Microsoft Defender Antivirus

Telemetry:

The Defender application will, by default, prevent the execution of the command and display a “ScriptContainedMaliciousContent” error.

Review and repeat

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented?
  • Were your actions visible in logs or other defensive telemetry?

Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.

Andy Rothman
Detection Engineer Team Manager
Andy has been in IT for 14 years. He began on the help desk, grew into system administration, and eventually landed in information security. He cut his teeth on antivirus architecture and administration while also taking part in vulnerability management, firewall security, and Splunk administration. Andy joined Red Canary as a malware analyst, and now heads up operational management of the detection engineering team. Outside of work, Andy loves mountain biking, hiking, camping, swimming, and is an amateur photographer.
Andy has been in IT for 14 years. He began on the help desk, grew into system administration, and eventually landed in information security. He cut his teeth on antivirus architecture and administration while also taking part in vulnerability management, firewall security, and Splunk administration. Andy joined Red Canary as a malware analyst, and now heads up operational management of the detection engineering team. Outside of work, Andy loves mountain biking, hiking, camping, swimming, and is an amateur photographer.
James Young
Detection Engineer
James has more than a decade of experience in cyber threat analysis focusing on the financial and business sectors. He's passionate about sharing knowledge and hunting down malware. James is exploring his passions on Red Canary's Customer Security Operations team. When he's not hunting threats, he's hunting for powder on his snowboard in the mountains.
James has more than a decade of experience in cyber threat analysis focusing on the financial and business sectors. He's passionate about sharing knowledge and hunting down malware. James is exploring his passions on Red Canary's Customer Security Operations team. When he's not hunting threats, he's hunting for powder on his snowboard in the mountains.