type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
relationship_id : relationship--8447c89e-a743-430e-8ef5-41abfcde1a01
revoked : False
technique : Keylogging
technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
* Reading raw keystroke data from the hardware buffer.
* Windows Registry modifications.
* Custom drivers.
* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1056.001
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux', 'Network']
data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5)
relationship_id : relationship--8e69c855-db70-4b5e-866b-f9ce0b786156
revoked : False
technique : Screen Capture
technique_description : Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1113
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
relationship_id : relationship--a9bc7666-f637-4093-a5bb-4edb61710e45
revoked : False
technique : File Deletion
technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [Group5](https://attack.mitre.org/groups/G0043) disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)
relationship_id : relationship--c3a1969b-1edb-4a78-80ab-b122cc2822e4
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
relationship_id : relationship--8447c89e-a743-430e-8ef5-41abfcde1a01
revoked : False
technique : Keylogging
technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
* Reading raw keystroke data from the hardware buffer.
* Windows Registry modifications.
* Custom drivers.
* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1056.001
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux', 'Network']
data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5)
relationship_id : relationship--8e69c855-db70-4b5e-866b-f9ce0b786156
revoked : False
technique : Screen Capture
technique_description : Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1113
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
relationship_id : relationship--a9bc7666-f637-4093-a5bb-4edb61710e45
revoked : False
technique : File Deletion
technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1070.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Command: Command Execution', 'File: File Deletion']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31T21:32:08.304Z
modified : 2020-03-30T19:07:39.812Z
name : Group5
description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
aliases : ['Group5']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.2
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [Group5](https://attack.mitre.org/groups/G0043) disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)
relationship_id : relationship--c3a1969b-1edb-4a78-80ab-b122cc2822e4
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------