Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0378: Behavioral Detection of Obfuscated Files or Information

This detection strategy is about finding behavior consistent with obfuscated files or information: content that has been encrypted, encoded, compressed, ar...

EnterpriseDET0378Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding behavior consistent with obfuscated files or information: content that has been encrypted, encoded, compressed, archived, or otherwise made harder to inspect. For leaders, the business issue is not the obfuscation itself; it is that adversaries use it to reduce visibility during initial access or later operations, which can delay containment and increase investigation cost.

Executive priority

Prioritize this as a visibility and resilience question: can the organization prove that SOC and incident response teams can recognize suspicious obfuscation patterns across relevant enterprise assets, especially where ATT&CK relates the behavior to ESXi, Linux, macOS, and network devices? This matters for control validation, incident decision-making, and audit evidence because gaps in file, network, and endpoint telemetry can leave defenders unable to distinguish routine compression or encryption from evasion-oriented activity.

Technical view

DET0378 is a detection strategy for T1027, Obfuscated Files or Information. Because the ATT&CK object does not provide an official detection description, teams should validate coverage against the related technique context: files or payloads that are encrypted, encoded, compressed, archived, or otherwise difficult to analyze on systems or in transit. SOC and detection engineering should focus on behavioral signals rather than single indicators, and should account for legitimate administrative, backup, deployment, packaging, and encryption activity that may resemble this behavior.

Likely telemetry

  • File creation, modification, rename, archive, compression, and encryption-related events where available
  • Endpoint process execution and command-line telemetry associated with file transformation or unpacking activity
  • File metadata, hashes, entropy or content-inspection results where collection is permitted
  • Network traffic or content metadata showing encoded, encrypted, compressed, or archived payload movement where visibility exists
  • Security tool alerts or logs from endpoint, network, and file inspection controls

Detection direction

  • Confirm whether current detections look for behavior patterns associated with obfuscated files or information rather than relying only on known hashes or signatures.
  • Tune detections to separate common business use cases, such as software packaging, backups, encrypted transfers, and administrative archiving, from unusual or suspicious patterns.
  • Validate telemetry coverage on the platforms supplied by the related ATT&CK technique: ESXi, Linux, macOS, and network devices; do not assume equivalent visibility across them.
  • Use relationship context to map this strategy to T1027 and test whether alerts provide enough evidence for IR teams to determine whether obfuscation was used to evade defenses.
  • Document blind spots where encrypted, compressed, archived, or encoded content cannot be inspected because of logging, privacy, architecture, or device limitations.

Mitigation priorities

  • Start with visibility: ensure endpoint, file, and network logging is sufficient to observe suspicious file transformation and payload movement activity.
  • Maintain asset and platform coverage maps so leadership understands where T1027-related behavior can and cannot be detected.
  • Apply least-privilege and administrative control review where users or processes can create, stage, or move suspicious archives, encrypted files, or encoded payloads at scale.
  • Use secure configuration and monitoring expectations for ESXi, Linux, macOS, and network devices where those platforms are in scope.
  • Preserve relevant logs and file metadata for incident response so analysts can reconstruct whether obfuscation contributed to delayed detection.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms of its own. The practical guidance here is derived from its relationship to T1027, Obfuscated Files or Information, and the related technique fields provided in the prompt.

This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local telemetry, platform scope, logging configuration, privacy constraints, and normal business use of compression or encryption must be reviewed before operationalizing detections.

Official MITRE ATT&CK definition

Behavioral Detection of Obfuscated Files or Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object detects Obfuscated Files or Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1027: Obfuscated Files or Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2835c3591d738b38...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2835c3591d73…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0378
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use