What is obfuscated files or information (T1027)?

Obfuscated files or information (T1027) is a MITRE ATT&CK® defense evasion technique where adversaries make their payloads, scripts, and commands difficult to analyze or detect by encoding, encrypting, or structurally obscuring them. The goal is to prevent security tools from recognizing malicious content through static signature matching or plain-text inspection, making an attack's components look like noise until the moment they execute.

Obfuscation is not a single action. It is a toolkit of methods ranging from simple Base64 encoding of PowerShell commands to sophisticated software packing that changes a binary's byte structure entirely. Log360 maps 60+ pre-built correlation rules to T1027, targeting the execution-time signals and structural patterns that remain detectable even when the payload content is hidden.

Where T1027 fits in the ATT&CK chain: T1027 maps to TA0005 — Defense evasion. Obfuscation is commonly applied at multiple phases: during initial access to hide phishing payload delivery, during execution to encode malicious scripts, and during persistence to obscure the content of startup entries. It frequently combines with process injection (T1055) and indicator removal (T1070) to form a complete evasion chain.

How attackers use obfuscation

Obfuscation is effective because most security tools perform pattern matching against known-bad content. If the content is encoded, the pattern does not match. Attackers apply obfuscation at multiple layers of their toolchain:

  1. PowerShell command obfuscation: Attackers encode PowerShell commands in Base64 and invoke them with powershell -enc [base64string], bypassing script-based detection rules that look for plain-text keywords like "IEX", "DownloadString", or "Invoke-Mimikatz". Tools like Invoke-Obfuscation automate this process, producing multiple encoding variants from a single malicious command.
  2. Compile-after-delivery: Instead of delivering a precompiled malicious executable, attackers deliver source code or an intermediate representation (such as C# code) and compile it on the victim machine using legitimate system utilities like csc.exe (the .NET C# compiler) or Add-Type in PowerShell. This bypasses file-based AV scanning because no malicious binary exists until execution.
  3. Software packing: Packers compress and encrypt executable code so the binary on disk has a different byte structure from its in-memory execution form. Standard AV signatures match the packed binary, not the unpacked payload. Log360 detects packing indicators through behavioral analysis of the unpacking process rather than the packed file itself.
  4. Steganography: Malicious payloads are hidden within images, audio files, or documents. The carrier file appears legitimate and passes standard security scans. The attacker uses a secondary process to extract and execute the embedded payload.
  5. Command-line character manipulation: Attackers insert special characters, environment variable references, or string formatting operations into command-line arguments to break signature pattern matching. A command like p^o^w^e^r^s^h^e^l^l invokes PowerShell while defeating regex patterns looking for "powershell".

Obfuscation in real-world incidents

T1027 is consistently observed across commodity malware, ransomware, and APT campaigns:

  • Emotet and QakBot: Both loaders use heavily obfuscated VBA macros and PowerShell download cradles with multiple encoding layers to deliver secondary payloads while evading email gateway and endpoint scanning.
  • APT29 (Cozy Bear): Uses compile-after-delivery techniques to generate malicious .NET assemblies on victim hosts, ensuring no precompiled malicious binary is present for file-based detection.
  • LockBit ransomware affiliates: Deploy obfuscated PowerShell stagers that download and execute ransomware payloads, with the obfuscation layer changed between campaigns to defeat signature-based detection.

Sub-techniques and variants

MITRE ATT&CK documents several sub-techniques under T1027, each requiring different detection logic:

  • T1027.001 — Binary padding: Adding null bytes or irrelevant data to a binary to change its hash value, defeating hash-based detection controls.
  • T1027.002 — Software packing: Using commercial or custom packers to compress and encrypt the executable payload, causing the on-disk binary to appear different from the in-memory execution form.
  • T1027.003 — Steganography: Embedding malicious code within image, audio, or document files to hide payload delivery within legitimate-looking file transfers.
  • T1027.004 — Compile after delivery: Delivering source code or intermediate representations and compiling them on the victim machine using csc.exe, Add-Type, or similar utilities to bypass file-based scanning.
  • T1027.009 — Embedded payloads: Hiding executable payloads inside documents, archives, or data files that extract and execute at runtime.
  • T1027.010 — Command obfuscation: Manipulating command-line syntax, using string concatenation, environment variables, or special character insertion to defeat command-line pattern matching.

Detection indicators for T1027

T1027 detection requires behavioral analysis at execution time rather than static analysis of files on disk, because the obfuscated form of a payload does not resemble the malicious content it conceals. Key indicator categories:

PowerShell encoded command execution

Event ID 4688 with command-line logging enabled captures the raw PowerShell invocation arguments. The presence of -enc, -e, -encodedcommand, or long Base64 strings in PowerShell arguments is a reliable obfuscation indicator. Log360's Invoke-Obfuscation detection rules specifically target command patterns produced by common obfuscation frameworks.

Script block logging (Event ID 4104)

PowerShell Script Block Logging captures the deobfuscated content of every PowerShell block at execution time, regardless of how the original command was encoded. This is the most reliable T1027 detection primitive — it surfaces the actual malicious content even when every other encoding layer succeeds. Log360 correlates Event ID 4104 content against known-bad patterns from Invoke-Obfuscation variants, encoded download cradles, and shellcode runners.

Dynamic compilation artefacts

Compile-after-delivery attacks produce characteristic artefacts: csc.exe or vbc.exe spawned by unexpected parents (PowerShell, Office, browsers), temporary .cs or .vb source files in user directories, and Sysmon Event ID 7 showing new .NET assemblies loaded by script hosts. Log360's Dynamic CSharp Compile Artefact rule targets this pattern directly.

Packed binary behavioral indicators

Software packers produce characteristic runtime behavior: self-modifying code, memory allocation with write-execute permissions, and process image mismatches between the on-disk file and the in-memory loaded image. Sysmon Event ID 8 (CreateRemoteThread) and unusual memory access patterns associated with unpacking routines are detectable through Log360's behavioral correlation rules.

Log360 detection rules for T1027

Log360 ships with 60+ pre-built correlation rules directly mapped to Obfuscated files or information (T1027). Rules target obfuscation mechanics rather than payload content, providing detection that remains effective across encoding variants and new obfuscation tools:

Rule name Platform Severity What it detects
Dynamic CSharp Compile Artefact Sysmon, Windows Trouble Detects compile-after-delivery activity where C# source code is compiled on the victim host using csc.exe or Add-Type, producing a malicious .NET assembly without a precompiled binary on disk
Invoke-Obfuscation RUNDLL LAUNCHER Windows Trouble Identifies PowerShell commands obfuscated using Invoke-Obfuscation's RUNDLL launcher method, which proxies execution through rundll32.exe to bypass PowerShell-specific detection rules
Invoke-Obfuscation Via Use MSHTA Windows Trouble Detects Invoke-Obfuscation commands that route execution through mshta.exe, a common obfuscation bypass technique that uses the HTML Application Host as a proxy to execute obfuscated PowerShell
Invoke-Obfuscation Via Use Rundll32 Windows Trouble Flags PowerShell obfuscation via rundll32.exe with the SCRIPT:HTTP/HTTPS pattern, detecting when Invoke-Obfuscation routes a script download and execution through rundll32
Potential PowerShell Obfuscation Using Character Join Windows Trouble Identifies PowerShell commands that use character-join concatenation techniques (e.g., [char]104+[char]101+...) to reconstruct command strings at runtime, defeating keyword-based detection
Python Image Load By Non-Python Process Sysmon Trouble Detects Python runtime libraries (python*.dll) loaded by processes that are not expected Python interpreters — an indicator of software packing or injected Python payload execution
Potential Winnti Dropper Activity Sysmon, Windows Critical Detects process and file creation patterns associated with Winnti group dropper activity, which uses obfuscated payloads embedded in legitimate-looking archive files to evade initial delivery scanning
Additional obfuscation detection rules (50+ rules) Windows, Sysmon Critical / Trouble Covers Invoke-Obfuscation variants, encoded download cradles, script block obfuscation patterns, environment variable substitution abuse, and dynamic assembly loading scenarios across multiple sub-techniques

Coverage note: Log360's T1027 detection rules span both signature-based patterns (specific Invoke-Obfuscation tool outputs) and behavioral indicators (compile-after-delivery artefacts, runtime assembly loading by unexpected processes). This dual coverage ensures detection remains effective when attackers modify their obfuscation tool parameters to change the specific encoding patterns.

Investigation steps

When Log360 fires a T1027 obfuscation alert, follow this sequence to decode the payload, identify the attacker's intent, and scope the impact:

  1. Retrieve the script block logging content: Pull Event ID 4104 records from the affected host for the alert timeframe. PowerShell Script Block Logging captures the deobfuscated payload regardless of how it was encoded in transit, this is the fastest path to understanding what the obfuscated command actually did.
  2. Decode the encoded command-line manually if needed: If script block logging is not available, extract the Base64 string from Event ID 4688 and decode it with [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('[string]')). This reveals the actual PowerShell command that was executed.
  3. Identify the parent process and delivery chain: Trace the parent process of the PowerShell or compilation activity. Office applications, browsers, and email clients as PowerShell parents indicate macro or browser-based delivery. Trace the chain to identify the initial access vector.
  4. Check for secondary payload execution: Obfuscation is typically a delivery layer, not the final payload. After decoding, identify what the obfuscated command did: downloaded a file, injected code, created a scheduled task, or established a network connection. Pivot to investigate those secondary actions.
  5. Assess network connections: Review outbound network connections from the affected host in the window around the alert. Encoded download cradles (IEX, DownloadString, Invoke-WebRequest) indicate external payload retrieval. Extract the URL and check against threat intelligence.
  6. Search for compile-after-delivery artefacts: If the alert involves dynamic compilation, search for temporary .cs/.vb source files, csc.exe or vbc.exe process execution, and newly created .NET assemblies in user-writable directories.

Response playbook

  • Contain the affected host: If active obfuscated payload execution is confirmed, isolate the host from the network. Obfuscated payloads are delivery mechanisms for secondary payloads — containment prevents the secondary payload from reaching out to C2 or moving laterally before it is identified.
  • Collect forensic evidence: Before any remediation, capture the original encoded command-line from Event ID 4688, the decoded script block content from Event ID 4104, any dynamically compiled assemblies on disk, and the memory state of involved processes if live response is available.
  • Remove delivered payloads: Delete any malicious files dropped by the obfuscated command. Hash all artefacts for threat intelligence sharing. If a compiled assembly was created, locate and remove both the source file and the compiled binary.
  • Review persistence mechanisms: Obfuscated PowerShell frequently installs persistence. Check for new scheduled tasks (Event ID 4698), new services (Event ID 7045), registry run keys, and startup folder additions created around the time of the alert.
  • Enable script block logging if not already active: If the alert surfaced through command-line detection rather than script block logging, prioritize enabling Event ID 4104 collection in Log360. Script block logging makes future obfuscation significantly harder to execute undetected.
  • Update detection baselines: After the incident, add the decoded indicators (download URLs, C2 addresses, compiled assembly hashes) to Log360's threat intelligence and custom detection rules to catch future variants of the same campaign.

ManageEngine Log360 for T1027 detection

Log360's 60+ pre-built T1027 obfuscation detection rules target the mechanics of obfuscation techniques rather than payload signatures, providing detection that works across encoding variants, new obfuscation toolkits, and custom encoding schemes. PowerShell Script Block Logging integration surfaces deobfuscated payloads at execution time, while compile-after-delivery and packing indicators are caught through behavioral correlation rules that do not require prior knowledge of specific payloads.

Download free trial Schedule a demo

Frequently asked questions

What is Obfuscated files or information (T1027) in MITRE ATT&CK?

Obfuscated files or information (T1027) is a MITRE ATT&CK defense evasion technique where adversaries encode, encrypt, or structurally transform their payloads, scripts, and commands to prevent security tools from recognizing them. Common methods include Base64-encoded PowerShell commands, compile-after-delivery via csc.exe, software packing, steganography, and command-line character manipulation. Because the obfuscated form does not resemble known-bad content, static signature detection often fails. Log360 addresses this by mapping 60+ correlation rules to T1027 that target execution-time and behavioral signals, such as script block logging output, dynamic compilation artefacts, and obfuscation tool patterns, which remain detectable regardless of how the payload is encoded.

How does Log360 detect PowerShell obfuscation?

Log360 detects PowerShell obfuscation through three layers: Event ID 4688 command-line analysis to flag Base64-encoded arguments and Invoke-Obfuscation patterns; Event ID 4104 (Script Block Logging) to capture deobfuscated execution content; and specific rules targeting known obfuscation frameworks like Invoke-Obfuscation RUNDLL, MSHTA, and character-join variants. Script Block Logging integration provides the most reliable coverage because it captures content at execution time regardless of encoding method.

What is compile-after-delivery and how is it detected?

Compile-after-delivery (T1027.004) is a technique where attackers deliver source code or intermediate representations to the victim host and compile them on-site using legitimate system utilities like csc.exe (.NET C# compiler) or Add-Type in PowerShell. No precompiled malicious binary exists for AV scanning. Log360 detects this through the Dynamic CSharp Compile Artefact rule, which identifies csc.exe or vbc.exe spawned by unexpected parent processes (PowerShell, Office, browsers) and temporary source files created in user-writable directories.

Can obfuscation bypass SIEM detection?

Obfuscation can bypass static signature-based SIEM rules that match against specific command strings, because encoded commands do not match those patterns. However, behavioral detection remains highly effective: PowerShell Script Block Logging captures deobfuscated content at execution regardless of encoding, and Log360's T1027 rules target obfuscation mechanics (the act of using character-join, Base64, or dynamic compilation) rather than payload content. Attackers cannot avoid these behavioral indicators without abandoning obfuscation entirely.

On this page
 
  • What is obfuscated files or information (T1027)?
  • How attackers use obfuscation
  • Sub-techniques and variants
  • Detection indicators
  • Log360 detection rules
  • Investigation steps
  • Response playbook
  • Frequently asked questions