title: Obfuscated Files or Information (T1027)
id: df00tech-t1027
status: experimental
description: "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted to avoid detection. Portions of files may be encoded to hide plaintext strings. Payloads may be split into separate benign-looking files that only reveal malicious functionality when reassembled. Real-world examples include BackdoorDiplomacy using VMProtect, Ryuk using anti-disassembly and code transformation, Lokibot and Amadey using Base64 string obfuscation, and SVCReady/ECCENTRICBANDWAGON using RC4/XOR encryption."
references:
  - https://attack.mitre.org/techniques/T1027/
  - https://df00tech.com/detections/T1027
author: df00tech
date: 2026/04/14
tags:
  - attack.t1027
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers and build pipelines routinely call certutil -encodehex or PowerShell Base64 operations as part of legitimate encoding/decoding workflows
  - "IT automation tools (SCCM, Ansible, Intune) often pass encoded configuration blobs to PowerShell as a safe way to handle special characters in installation scripts"
  - Security tools and scanners themselves may decode malware samples as part of analysis pipelines on analyst workstations
  - Backup and archiving software may use certutil or 7-zip with password flags that superficially resemble obfuscation patterns
  - Web developers may use JavaScript unescape() or String.fromCharCode() in test scripts that get executed via cscript.exe during CI/CD
level: medium