[T1027.004: Obfuscated Files or Information: Compile After Delivery](https://cmndcntrl.notion.site/T1027-004-Obfuscated-Files-or-Information-Compile-After-Delivery-489ce8a264c242799772bfda84e1cd08)
[T1027.012: Obfuscated Files or Information: LNK Icon Smuggling](https://cmndcntrl.notion.site/T1027-012-Obfuscated-Files-or-Information-LNK-Icon-Smuggling-569f59c181084850ba91fe06e0b0e2c2)
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware | Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [373] |
| M1047 | Audit | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. |
| M1040 | Behavior Prevention on Endpoint | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. [374] |
| M1017 | User Training | Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |