T1001 Data Obfuscation
Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
| Item | Value |
|---|---|
| ID | T1001 |
| Sub-techniques | T1001.001, T1001.002, T1001.003 |
| Tactics | TA0011 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 15 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0381 | FlawedAmmyy | FlawedAmmyy may obfuscate portions of the initial C2 handshake.6 |
| S1044 | FunnyDream | FunnyDream can send compressed and obfuscated packets to C2.7 |
| C0014 | Operation Wocao | During Operation Wocao, threat actors encrypted IP addresses used for “Agent” proxy hops with RC4.8 |
| S0495 | RDAT | RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.2 |
| S0610 | SideTwist | SideTwist can embed C2 responses in the source code of a fake Flickr webpage.3 |
| S0533 | SLOTHFULMEDIA | SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.4 |
| S0682 | TrailBlazer | TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. ↩
-
Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. ↩
-
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. ↩
-
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩