T1027-Obfuscated Files or Information

Note: T1027 includes several sub-techniques, but this article primarily addresses the main technique. Therefore, this section provides an overview of the general technique rather than specific sub-techniques.

Adversaries use obfuscation to avoid detection by simple, signature-based analytics and to complicate analysis. Since software and IT administrators also use obfuscation for legitimate purposes, it becomes challenging to distinguish between harmful and normal obfuscation. Ironically, some obfuscation methods are designed to deceive machines but end up drawing more attention from humans.

Given the visibility of openly malicious actions, it's understandable that adversaries invest in encrypting, encoding, or otherwise obfuscating files or information that would be easily identifiable and straightforward to detect or block in its unencrypted form.

Malicious Objectives for Obfuscated Files or Information

Adversaries encrypt, encode, or obfuscate files and executables to evade detection and analysis, making it more difficult for security measures to identify and respond to malicious activities. Their primary objective is to bypass security controls, whether on a system or during data transit, by concealing the true nature of their payloads. They aim to avoid detection during both initial access and subsequent stages, ensuring that their malicious actions remain hidden and effective. By obscuring commands and using various obfuscation techniques, adversaries seek to circumvent signature-based detection and application control mechanisms, thereby enhancing their ability to execute their attacks undetected.

Mechanisms of Obfuscated Files or Information

Obfuscation techniques are employed to make malicious files, code, commands, configurations, and other data harder for security systems to detect. Key methods include:

• Changing the Form of Data: Altering data through compression, archiving, or packing to avoid detection. Some methods require user interaction, such as entering a password to access a protected file.

• Changing the Size of Data: Techniques like binary padding increase a file's size without affecting functionality, aiming to evade security tools that do not scan files larger than a specific size.

• Hiding Malicious Data: Concealing malicious data within seemingly harmless files or splitting data to reduce detection rates. Techniques like steganography and HTML smuggling are examples.

• Obfuscating or Removing Indicators: Hiding or removing signs of compromise, such as file signatures, environment variables, and section names, to bypass signature-based detection systems.

• Manipulating Code Structure: Obscuring the logical flow of scripts through techniques like code rearrangement, making it difficult for analysts to understand the code's true nature.

Common Forms of Obfuscation

• Base64 Encoding: Used to conceal sensitive information and scripts. Its widespread use by administrators makes it a favored tool for adversaries, especially in encoded PowerShell commands.

• String Concatenation: Hides malicious strings from detection using methods such as the + operator, -join, or string interpolation to evade signature-based controls.

• Substrings: Obfuscates code by extracting and combining specific characters, like combining parts of environment variables to form executable commands, thereby bypassing detection.

• Escape Characters: Characters like \, `, and ^ are used to prevent special characters from being interpreted by the command shell or PowerShell, avoiding signature matches.

ATT&CK Technique Co-occurrences

Obfuscated Files or Information frequently co-occurs with PowerShell (T1059.001) and the Windows Command Shell (T1059.003), and is also commonly used with Ingress Tool Transfer (T1105). These patterns indicate that adversaries often use obfuscated commands in these environments, sometimes to covertly transfer tools.

Actions That Need to be Taken

Users of Microsoft Defender Antivirus can activate the "Block execution of potentially obfuscated scripts" attack surface reduction rule, which can be set to either audit or enforcement mode. Enforcement and audit events are logged with event IDs 1121 and 1122, respectively, in the Windows Defender (Operational) event log. If an event includes an ID field with the value 5beb7efe-fd9a-4556-801d-275e5ffc04cc, it indicates that the obfuscation rule was triggered.

Visibility

Process Monitoring

Obfuscation is commonly initiated by commands executed through cmd.exe and powershell.exe. To detect malicious obfuscation, it is crucial to monitor the execution of these processes, as well as other processes that might use or suggest obfuscation. However, monitoring processes alone is not sufficient to fully observe obfuscation activities.

Command Monitoring

Alongside process monitoring, examining command-line parameters is essential for identifying obfuscation techniques. Pay close attention to the execution of cmd.exe and powershell.exe with command-line parameters that display signs of suspicious obfuscation. This includes strings of random characters or commands indicative of obfuscation methods discussed previously.

File Monitoring

File monitoring can be valuable for detecting obfuscated files or information, especially when adversaries use compressed or archived scripts, such as JavaScript. Monitoring files for payloads hidden within ZIP files or similar archives can help identify obfuscated data and activities.

Detection Technology

Sysmon Event ID 1: Process Creation

Sysmon Event ID 1 logs process starts and their corresponding command lines, providing detailed visibility into PowerShell activities, including those involving obfuscation. This event is valuable for monitoring encoded PowerShell activity.

Sysmon Event ID 11: File Creation

Sysmon Event ID 11 records file creation events, which are useful for tracking adversaries who may hide malicious payloads within ZIP files. This event helps in detecting such concealed files.

Windows Security Event ID 4688: Process Creation

Windows Security Event ID 4688, with command-line argument capture enabled, is a critical source for detecting malicious obfuscation. It logs process execution details and command lines, offering essential data for analyzing obfuscated files. Sysmon and EDR tools also capture similar data, aiding in the detection and analysis of obfuscation.

Windows Security Event ID 1101: Antimalware Scan Interface (AMSI)

AMSI provides telemetry on the execution of PowerShell and other scripting languages like VBScript, JScript, and WMI. It is designed for security vendors to monitor both on-disk and in-memory executions. AMSI can detect obfuscated code layers, as it often reveals the innermost, less obfuscated parts during runtime. AMSI events are accessed through Event Tracing for Windows (ETW) rather than standard Windows event logging.

Endpoint Detection and Response (EDR) Tools

EDR tool serves as a powerful resource for identifying Obfuscated Files or Information. This tool offers extensive visibility into various aspects of endpoint activity, including process starts, command-lines, and network connections. The capabilities of EDR tools provides organizations with the necessary monitoring to detect and respond to malicious activity effectively.

Possible Use Cases

Detecting Base64 encoding

To detect malicious use of Base64 encoding, monitor the execution of processes such as powershell.exe or cmd.exe that include command-line parameters like ToBase64String and FromBase64String. Implementing a straightforward analytic approach can assist in identifying instances of malicious obfuscation.

process == ('powershell.exe' || 'cmd.exe')
&&
command_includes ('base64')

PowerShell -EncodedCommand switch

To detect the use of the -EncodedCommand switch in PowerShell, which is a common obfuscation method, monitor for this specific switch in command-line executions. This switch is frequently discussed in threat detection reports and other security content. You can identify the use of -EncodedCommand with the following logic:

process == powershell.exe
&&
command_includes [any variation of the encoded command switch]*

Escape characters

Consider setting up alerts for command lines that use an excessive number of characters commonly associated with obfuscation, such as ^, =, %, !, [, (, and ;. While implementing this might be complex, the following pseudo-analytic provides a useful example of what to look for:

process == cmd.exe
&&
command_includes [excessive use of the following] ('^' || '=' || '%' || '!' || '[' || '(' || ';')

ZIP file spawning JavaScript

High volumes of obfuscation have been detected in phishing schemes where adversaries conceal JavaScript payloads within ZIP files. These ZIP files are often written to user and temporary directories.

process == 'wscript.exe'
&&
command_includes ('users' && 'temp' && '.zip’ && '.js')
&&
has_external_netconn

Real-life Example

Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

Following the 2016 U.S. Presidential Election, The Dukes (APT29 or Cozy Bear) launched a series of spear phishing campaigns targeting U.S. think tanks and NGOs. Among these, one attack wave mimicked earlier Dukes tactics by posing as an electronic fax from Secure Fax Corp. This particular attack involved an email with a link to a ZIP file containing a Microsoft shortcut (.LNK) that executed PowerShell commands. The overall campaign used compromised and fake Gmail accounts to distribute emails with malicious attachments or links, delivering PowerDuke malware via documents with embedded macros and concealed within PNG files.

The "Shocking" Truth About Election Rigging

The initial attack wave closely resembles earlier tactics used by The Dukes. It involves an email purporting to be from Secure Fax Corp. with a link to a ZIP file containing a Microsoft shortcut file (.LNK). This shortcut file executes PowerShell commands to perform anti-VM checks, deploy a backdoor, and display a decoy document. The email originated from the attacker-controlled account industry.faxsolution@gmail.com.

The e-mail contained links pointing to the following URL:

hxxp://efax.pfdweek[.]com/eFax/message0236.ZIP

Inside of this password (1854) protected ZIP file is a Microsoft shortcut file named:

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Note that pfdweek[.]com appears to be under the control of the attackers but may be a hijacked domain.

Details on each of the files are included below.

Filename: message0236.ZIP File size: 643843 bytes MD5 hash: bea0a6f069bd547db685698bc9f9d25a SHA1 hash: ee09bec09388338134d47fa993d5e0f86efe5bd4 Notes: Password protected ZIP file containing malicious Microsoft shortcut file (37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk)

Filename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk File size: 724003 bytes MD5 hash: c272aebc661c54cc960ba9a4a3578952 SHA1 hash: 52d62213c66a603e33dab326bf4fa29d6ac681c4 Notes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy document.

Filename: kxwn.lock File size: 10752 bytes MD5 hash: 28b95a2c399e60ee535c32e73860fbea SHA1 hash: bf4ce67b6e745e26fcf3a2d41938a9dff1395076 Notes: Primary PowerDuke backdoor (DLL) loader (leverages kxwn.lock:schemas) dropped to "%APPDATA\Roaming\Microsoft\" with persistence via HKCU Run Key "WebCache" (rundll32.exe %APPDATA\Roaming\Microsoft\kxwn.lock , #2). Connects directly to 173.243.80.6:443 for command and control.

Filename: kxwn.lock:schemas File size: 609853 bytes MD5 hash: 4e1dec16d58ba5f4196f6a76a0bca75c SHA1 hash: a7c43d7895ecef2b6306fb00972c321060753361 Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Feel free to share more insights on this technique! The comment section is open for all security experts to contribute valuable information to our community.