Skip to content

DET0378 Behavioral Detection of Obfuscated Files or Information

Item Value
ID DET0378
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1027 (Obfuscated Files or Information)

Analytics

Windows

AN1064

Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
PayloadEntropyThreshold Tune entropy threshold to distinguish obfuscation from legitimate compression
TimeWindow Adjust correlation window between script execution and encoded file creation
SuspiciousParentProcessList Customize based on environment to include LOLBins or admin tools misused for obfuscation

Linux

AN1065

Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Modification (DC0061) auditd:SYSCALL open, write
Command Execution (DC0064) linux:cli Shell history logs
Mutable Elements
Field Description
CommandRegex Customize for tools seen in environment (e.g., gzip, bzip2, xz)
SensitivePathList Specify file paths likely targeted for obfuscation (e.g., /etc/, /home/)

macOS

AN1066

Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream –predicate ‘processImagePath contains “zip” OR “base64”’
File Creation (DC0039) macos:osquery file_events
Mutable Elements
Field Description
FilenameExtensionList Tunable to identify uncommon or encrypted file formats (e.g., .enc, .b64, .xz)
UserContext Tune to prioritize unexpected file access by service accounts

Network Devices

AN1067

Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) networkdevice:IDS content inspection / PCAP / HTTP body
Mutable Elements
Field Description
EntropyThreshold Adjust threshold to reduce false positives in compressed but benign data
ProtocolScope Refine by enabling inspection of specific exfil vectors (e.g., FTP, HTTP POST)

ESXi

AN1068

Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).

Log Sources
Data Component Name Channel
File Metadata (DC0059) esxi:vmkernel Datastore modification events
OS API Execution (DC0021) esxi:hostd Remote access API calls and file uploads
Mutable Elements
Field Description
StagingLocation Tune based on observed adversary paths (e.g., /vmfs/volumes/…)
EncodedLengthThreshold Tune length of encoded payloads before triggering detection