T1406: Obfuscated Files or Information
Essential information
- MITRE technique ID
T1406- Confidence
- 100/100
- Revoked
- No
- Published
- 17/12/2025 22:48
- Modified
- 27/03/2026 01:41
- Author / Source
- The MITRE Corporation
Aliases
T1406
Platforms
android iOS
Description
Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-mobile-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.