Obfuscation or cryptography

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. [1]

ID: T1313
Sub-techniques:  No sub-techniques
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description

Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[2]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.


  1. FireEye, Inc. (2014). APT 28: A Window into Russia’s Cyber Espionage Operations?. Retrieved March 1, 2017.