T1027.013

Encrypted/Encoded File

Encrypted/Encoded File (T1027.013) is a MITRE ATT&CK technique associated with Stealth . Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.

Technique ID: T1027.013
Difficulty: Intermediate
Tactics: Stealth
Platforms: LinuxmacOSWindows

Executive Summary

Encrypted/Encoded File (T1027.013) is a MITRE ATT&CK technique associated with Stealth. Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection.

Why Attackers Use It

Attackers use Encrypted/Encoded File because it provides a reliable way to advance their objective within the Stealth tactic, often with a favorable balance of impact versus detectability on Linux, macOS, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.

This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.

The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.

For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).(Citation: SFX - Encrypted/Encoded File)

Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Encrypted/Encoded File to achieve its tactical objective (Stealth).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): Linux, macOS, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents Encrypted/Encoded File. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with Encrypted/Encoded File and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1049 -- Antivirus/Antimalware: Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware.
M1040 -- Behavior Prevention on Endpoint: Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events.

Related Techniques

T1001.002
T1014
T1020
T1027
T1027.002
T1027.004
T1027.009
T1027.016
T1036.003
T1036.008
T1037.001
T1040
T1048.002
T1052.001
T1053.003
T1055
T1055.003
T1056.002
T1057
T1059
T1059.003
T1059.006
T1059.007
T1059.008
T1059.010
T1068
T1070.004
T1070.006
T1071.001
T1082
T1083
T1098.004
T1102.001
T1102.003
T1105
T1129
T1134.004
T1137.006
T1140
T1189
T1195
T1195.001
T1195.002
T1203
T1205.001
T1217
T1218.001
T1218.007
T1218.011
T1218.015
T1222.001
T1480
T1480.002
T1496.001
T1497
T1497.002
T1542.003
T1543
T1543.002
T1543.003
T1543.004
T1546
T1546.004
T1547.004
T1547.013
T1553.002
T1556
T1559
T1564.004
T1565.002
T1566.003
T1568
T1569.001
T1572
T1574.001
T1574.006
T1583.004
T1585.003
T1586.003
T1594
T1614
T1615
T1647
T1657
T1678
T1679
T1684.001
T1686.003
T1688
T1690

T1001.002Steganography T1014Rootkit T1020Automated Exfiltration T1027Obfuscated Files or Information T1027.002Software Packing T1027.004Compile After Delivery T1027.009Embedded Payloads T1027.016Junk Code Insertion T1036.003Rename Legitimate Utilities T1036.008Masquerade File Type T1037.001Logon Script (Windows)T1040Network Sniffing T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1052.001Exfiltration over USB T1053.003Cron T1055Process Injection T1055.003Thread Execution Hijacking T1056.002GUI Input Capture T1057Process Discovery T1059Command and Scripting Interpreter T1059.003Windows Command Shell T1059.006Python T1059.007JavaScript T1059.008Network Device CLI T1059.010AutoHotKey & AutoIT T1068Exploitation for Privilege Escalation T1070.004File Deletion T1070.006Timestomp T1071.001Web Protocols T1082System Information Discovery T1083File and Directory Discovery T1098.004SSH Authorized Keys T1102.001Dead Drop Resolver T1102.003One-Way Communication T1105Ingress Tool Transfer T1129Shared Modules T1134.004Parent PID Spoofing T1137.006Add-ins T1140Deobfuscate/Decode Files or Information T1189Drive-by Compromise T1195Supply Chain Compromise T1195.001Compromise Software Dependencies and Development Tools T1195.002Compromise Software Supply Chain T1203Exploitation for Client Execution T1205.001Port Knocking T1217Browser Information Discovery T1218.001Compiled HTML File T1218.007Msiexec T1218.011Rundll32 T1218.015Electron Applications T1222.001Windows Permissions T1480Execution Guardrails T1480.002Mutual Exclusion T1496.001Compute Hijacking T1497Virtualization/Sandbox Evasion T1497.002User Activity Based Checks T1542.003Bootkit T1543Create or Modify System Process T1543.002Systemd Service T1543.003Windows Service T1543.004Launch Daemon T1546Event Triggered Execution T1546.004Unix Shell Configuration Modification T1547.004Winlogon Helper DLL T1547.013XDG Autostart Entries T1553.002Code Signing T1556Modify Authentication Process T1559Inter-Process Communication T1564.004NTFS File Attributes T1565.002Transmitted Data Manipulation T1566.003Spearphishing via Service T1568Dynamic Resolution T1569.001Launchctl T1572Protocol Tunneling T1574.001DLL T1574.006Dynamic Linker Hijacking T1583.004Server T1585.003Cloud Accounts T1586.003Cloud Accounts T1594Search Victim-Owned Websites T1614System Location Discovery T1615Group Policy Discovery T1647Plist File Modification T1657Financial Theft T1678Delay Execution T1679Selective Exclusion T1684.001Impersonation T1686.003Windows Host Firewall T1688Safe Mode Boot T1690Prevent Command History Logging

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes Encrypted/Encoded File to achieve its tactical objective (Stealth).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): Linux, macOS, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with Encrypted/Encoded File and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

M1049 -- Antivirus/Antimalware: Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware.
M1040 -- Behavior Prevention on Endpoint: Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events.

Related Techniques

T1001.002
T1014
T1020
T1027
T1027.002
T1027.004
T1027.009
T1027.016
T1036.003
T1036.008
T1037.001
T1040
T1048.002
T1052.001
T1053.003
T1055
T1055.003
T1056.002
T1057
T1059
T1059.003
T1059.006
T1059.007
T1059.008
T1059.010
T1068
T1070.004
T1070.006
T1071.001
T1082
T1083
T1098.004
T1102.001
T1102.003
T1105
T1129
T1134.004
T1137.006
T1140
T1189
T1195
T1195.001
T1195.002
T1203
T1205.001
T1217
T1218.001
T1218.007
T1218.011
T1218.015
T1222.001
T1480
T1480.002
T1496.001
T1497
T1497.002
T1542.003
T1543
T1543.002
T1543.003
T1543.004
T1546
T1546.004
T1547.004
T1547.013
T1553.002
T1556
T1559
T1564.004
T1565.002
T1566.003
T1568
T1569.001
T1572
T1574.001
T1574.006
T1583.004
T1585.003
T1586.003
T1594
T1614
T1615
T1647
T1657
T1678
T1679
T1684.001
T1686.003
T1688
T1690

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques