Esc
Obfuscated Files or Information - T1027
(ATT&CK® Technique)
Definition
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1027["Obfuscated Files or Information"] --> |creates| JavaScriptBlob["JavaScript Blob"]; class T1027 OffensiveTechniqueNode;
class JavaScriptBlob ArtifactNode; click JavaScriptBlob href "/dao/artifact/d3f:JavaScriptBlob";
click T1027 href "/offensive-technique/attack/T1027/"; click JavaScriptBlob href "/dao/artifact/d3f:JavaScriptBlob"; T1027["Obfuscated Files or Information"] --> |creates| ExecutableFile["Executable File"]; class T1027 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1027 href "/offensive-technique/attack/T1027/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1027["Obfuscated Files or Information"] --> |obfuscates| ExecutableFile["Executable File"]; class T1027 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1027 href "/offensive-technique/attack/T1027/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1027["Obfuscated Files or Information"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1027 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1027 href "/offensive-technique/attack/T1027/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1027["Obfuscated Files or Information"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1027["Obfuscated Files or Information"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1027["Obfuscated Files or Information"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1027["Obfuscated Files or Information"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
FileEviction["File Eviction"] -.->
| may-evict | T1027["Obfuscated Files or Information"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1027["Obfuscated Files or Information"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1027["Obfuscated Files or Information"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1027["Obfuscated Files or Information"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
FileEncryption["File Encryption"] -.->
| may-harden | T1027["Obfuscated Files or Information"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1027["Obfuscated Files or Information"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1027["Obfuscated Files or Information"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableBinary["Executable Binary"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1027["Obfuscated Files or Information"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";