MITRE

MITRE Technique [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File

MITRE

[T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Adversaries encrypt or encode files to hide malicious content from signature and pattern-based defenses, often using layered encodings, password-protected archives, or custom schemes to delay discovery until execution. #ObfuscatedFiles #DefenseEvasion

Keypoints

  • Adversaries encrypt or encode files to hide strings and byte patterns from detection engines.
  • Techniques include standard encodings (Base64), password-protected archives, and SFX containers.
  • Obfuscation can target whole files or specific values like C2 addresses.
  • Layered or custom encodings increase complexity and evade static signature checks.
  • Monitoring file creation and metadata helps detect anomalous encrypted or encoded artifacts.

Description:

  • Like hiding a message in a locked box, encrypted or encoded files conceal harmful content until the lock is opened, making the danger invisible to casual inspection.
  • Attackers transform file contents using encryption or encoding (hardcoded keys, user-provided passwords, Base64, custom schemes) so static detection fails; this enables delivery and storage of payloads, configs, or C2 data while delaying detection until runtime deobfuscation.

Detection:

  • Monitor file creation events and metadata for unusual archive types, SFX binaries, or password-protected office documents using EDR and file integrity tools.
  • Scan file content with entropy analysis to flag high-entropy files indicative of encryption or packing; integrate with SIEM alerts for anomalous entropy spikes.
  • Decode common encodings (Base64, URL, XOR patterns) automatically in sandbox/analysis pipelines to reveal hidden payloads before execution.
  • Inspect Office file macros and embedded objects in a detonation sandbox to detect staged payload extraction from password-protected or obfuscated containers.
  • Track suspicious use of decompression/extraction tools and unusual child processes spawned from user file opens to detect SFX or archive-triggered execution.
  • Correlate file creation with network indicators and process behavior; watch for processes reading high-entropy files then making outbound connections to unknown C2 addresses.
  • Beware false positives from legitimate encrypted backups or compressed installers; tune rules by whitelisting known publishers and verifying business workflows.

Tactics:
Defense Evasion

Platforms:
Linux, Windows, macOS

Data Sources:
File: File Creation, File: File Metadata

Relationship Citations:
(Citation: CrowdStrike Putter Panda),(Citation: Microsoft Moonstone Sleet 2024),(Citation: Cisco MagicRAT 2022),(Citation: McAfee Night Dragon),(Citation: SentinelOne SocGholish Infrastructure November 2022),(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: Trend Micro njRAT 2018),(Citation: ESET LoudMiner June 2019),(Citation: Radware Micropsia July 2018),(Citation: Intezer HiddenWasp Map 2019),(Citation: SentinelLabs Metador Sept 2022),(Citation: ESET TeleBots Oct 2018),(Citation: Novetta Blockbuster),(Citation: FireEye APT34 Dec 2017),(Citation: Fysbis Dr Web Analysis),(Citation: ESET Hermetic Wizard March 2022),(Citation: Carbon Black HotCroissant April 2020),(Citation: Cybereason Kimsuky November 2020),(Citation: NCC Group WastedLocker June 2020),(Citation: FireEye APT33 Guardrail),(Citation: US-CERT Volgmer 2 Nov 2017),(Citation: SecureWorks August 2019),(Citation: Qualys LummaStealer 2024),(Citation: ClearSky Lazarus Aug 2020),(Citation: Emissary Trojan Feb 2016),(Citation: Crowdstrike Indrik November 2018),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: NCC Group Team9 June 2020),(Citation: Kaspersky Cloud Atlas December 2014),(Citation: Trustwave BlackByte 2021),(Citation: FireEye HAWKBALL Jun 2019),(Citation: US-CERT TYPEFRAME June 2018),(Citation: rapid7-email-bombing),(Citation: Talos GravityRAT),(Citation: Picus Sodinokibi January 2020),(Citation: Unit 42 KerrDown February 2019),(Citation: Dell Sakula),(Citation: ESET Attor Oct 2019),(Citation: FBI FLASH APT39 September 2020),(Citation: Sekoia Raccoon1 2022),(Citation: Microsoft DUBNIUM July 2016),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: Bishop Fox Sliver Framework August 2019),(Citation: ESET Gelsemium June 2021),(Citation: Securelist LuckyMouse June 2018),(Citation: ESET Lazarus Jun 2020),(Citation: ESET OceanLotus macOS April 2019),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Proofpoint TA505 Jan 2019),(Citation: Trend Micro TeamTNT),(Citation: Donut Github),(Citation: ESET Security Mispadu Facebook Ads 2019),(Citation: TrendMicro MacOS April 2018),(Citation: SentinelOne Cuckoo Stealer May 2024),(Citation: CheckPoint Naikon May 2020),(Citation: Palo Alto Reaver Nov 2017),(Citation: ClearSky Siamesekitten August 2021),(Citation: Medium Metamorfo Apr 2020),(Citation: ESET Sednit USBStealer 2014),(Citation: Unit42 BendyBear Feb 2021),(Citation: PaloAlto DNS Requests May 2016),(Citation: Unit 42 Bisonal July 2018),(Citation: Crowdstrike Helix Kitten Nov 2018),(Citation: CISA AR21-126A FIVEHANDS May 2021),(Citation: TrendMicro Lazarus Nov 2018),(Citation: Securelist Brazilian Banking Malware July 2020),(Citation: Sophos SamSam Apr 2018),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: SentinelOne Agrius 2021),(Citation: Unit 42 Sofacy Feb 2018),(Citation: Accenture SNAKEMACKEREL Nov 2018),(Citation: Talos Micropsia June 2017),(Citation: ESET OceanLotus),(Citation: Talos Zeus Panda Nov 2017),(Citation: Unit 42 Magic Hound Feb 2017),(Citation: Rewterz Sidewinder APT April 2020),(Citation: CrowdStrike Wizard Spider October 2020),(Citation: Secureworks REvil September 2019),(Citation: Accenture Lyceum Targets November 2021),(Citation: Cylance Dust Storm),(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021),(Citation: Secureworks GandCrab and REvil September 2019),(Citation: Palo Alto MidnightEclipse APR 2024),(Citation: Cyble Sidewinder September 2020),(Citation: Malwarebytes SmokeLoader 2016),(Citation: Zscaler XLoader 2025),(Citation: Accenture Hogfish April 2018),(Citation: McAfee Honeybee),(Citation: ESET Turla Mosquito Jan 2018),(Citation: S2W Racoon 2022),(Citation: Zscaler Higaisa 2020),(Citation: Proofpoint Leviathan Oct 2017),(Citation: Unit 42 CARROTBAT November 2018),(Citation: Talos Smoke Loader July 2018),(Citation: Google Cloud APT41 2022),(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023),(Citation: ESET Sednit Part 1),(Citation: Nccgroup Emissary Panda May 2018),(Citation: Trend Micro Tick November 2019),(Citation: Cybereason Bazar July 2020),(Citation: ESET Casbaneiro Oct 2019),(Citation: Symantec Bilbug 2022),(Citation: Lumen Versa 2024),(Citation: objective-see windtail2 jan 2019),(Citation: RedCanary Mockingbird May 2020),(Citation: Sentinel Labs LockBit 3.0 JUL 2022),(Citation: Prevx Carberp March 2011),(Citation: Trend Micro Iron Tiger April 2021),(Citation: Intel 471 REvil March 2020),(Citation: TrendMicro Tropic Trooper Mar 2018),(Citation: CISA Supernova Jan 2021),(Citation: MSTIC Nobelium Toolset May 2021),(Citation: Mandiant APT41),(Citation: Unit 42 Hildegard Malware),(Citation: ESET ForSSHe December 2018),(Citation: Trend Micro Skidmap),(Citation: Cybereason Cobalt Kitty 2017),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: Recorded Future RedDelta 2025),(Citation: FireEye FELIXROOT July 2018),(Citation: FireEye Periscope March 2018),(Citation: F-Secure CozyDuke),(Citation: TrendMicro macOS Dacls May 2020),(Citation: BlackBerry CostaRicto November 2020),(Citation: TrendMicro TropicTrooper 2015),(Citation: Cisco Operation Layover September 2021),(Citation: FireEye FiveHands April 2021),(Citation: Proofpoint Operation Transparent Tribe March 2016),(Citation: Malwarebytes Konni Aug 2021),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Kaspersky ThreatNeedle Feb 2021),(Citation: FOX-IT May 2016 Mofang),(Citation: emotet_trendmicro_mar2023),(Citation: ESET GreyEnergy Oct 2018),(Citation: Kaspersky ToddyCat June 2022),(Citation: Symantec Remsec IOCs),(Citation: Talos Promethium June 2020),(Citation: Oligo ShadowRay Campaign MAR 2024),(Citation: FireEye FIN7 Oct 2019),(Citation: ESET OceanLotus Mar 2019),(Citation: Symantec Cicada November 2020),(Citation: Volexity InkySquid BLUELIGHT August 2021),(Citation: Lazarus APT January 2022),(Citation: Proofpoint TA505 Sep 2017),(Citation: Microsoft Albanian Government Attacks September 2022),(Citation: Bitdefender StrongPity June 2020),(Citation: US-CERT BLINDINGCAN Aug 2020),(Citation: Symantec Whitefly March 2019),(Citation: Unit 42 IronNetInjector February 2021 ),(Citation: Forcepoint Monsoon),(Citation: FireEye SUNSHUTTLE Mar 2021),(Citation: Talos Bisonal Mar 2020),(Citation: Trellix Darkgate 2023),(Citation: Palo Alto OilRig May 2016),(Citation: Cisco Ukraine Wipers January 2022),(Citation: McAfee Lazarus Nov 2020),(Citation: ESET Operation Groundbait),(Citation: FireEye APT19),(Citation: Group IB Ransomware May 2020),(Citation: WithSecure Kapeka 2024),(Citation: Bromium Ursnif Mar 2017),(Citation: Talos Seduploader Oct 2017),(Citation: Unit42 Emissary Panda May 2019),(Citation: Google Cloud APT41 2024),(Citation: Symantec Elderwood Sept 2012),(Citation: Forcepoint BITTER Pakistan Oct 2016),(Citation: Microsoft Iranian Threat Actor Trends November 2021),(Citation: G Data Sodinokibi June 2019),(Citation: Netskope Squirrelwaffle Oct 2021),(Citation: Cisco Talos Bitter Bangladesh May 2022),(Citation: Kaspersky StoneDrill 2017),(Citation: ESET OilRig Campaigns Sep 2023),(Citation: Checkpoint MosesStaff Nov 2021),(Citation: Bitdefender APT28 Dec 2015),(Citation: SCILabs Malteiro Threat Overlap 2023),(Citation: Elastic Latrodectus May 2024),(Citation: Palo Alto Sofacy 06-2018),(Citation: GitHub Invoke-Obfuscation),(Citation: Lotus Blossom Dec 2015),(Citation: Symantec RAINDROP January 2021),(Citation: Unit 42 VERMIN Jan 2018),(Citation: Novetta-Axiom),(Citation: FireEye APT32 May 2017),(Citation: Aqua TeamTNT August 2020),(Citation: Cybereason StealBit Exfiltration Tool),(Citation: Kandji Cuckoo April 2024),(Citation: ESET PipeMon May 2020),(Citation: Novetta Winnti April 2015),(Citation: Unit42 OilRig Nov 2018),(Citation: Juniper IcedID June 2020),(Citation: ANY.RUN XLoader 2023),(Citation: S2 Grupo TrickBot June 2017),(Citation: PaloAlto CardinalRat Apr 2017),(Citation: ATT Sidewinder January 2021),(Citation: Kaspersky ToddyCat Check Logs October 2023),(Citation: Securelist Remexi Jan 2019),(Citation: McAfee Sodinokibi October 2019),(Citation: McAfee Sharpshooter December 2018),(Citation: FireEye APT10 Sept 2018),(Citation: Latrodectus APR 2024),(Citation: Volexity UPSTYLE 2024),(Citation: Ensilo Darkgate 2018),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Leonardo Turla Penquin May 2020),(Citation: SCILabs Malteiro 2021),(Citation: McAfee Lazarus Jul 2020),(Citation: Fidelis INOCNATION),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: RecordedFuture WhisperGate Jan 2022),(Citation: Malwarebytes Higaisa 2020),(Citation: Securelist WhiteBear Aug 2017),(Citation: Bitsight Latrodectus June 2024),(Citation: Group-IB RansomHub FEB 2025),(Citation: GDATA Zeus Panda June 2017),(Citation: Unit 42 Nokki Oct 2018),(Citation: ESET Operation Spalax Jan 2021),(Citation: Lookout Dark Caracal Jan 2018),(Citation: DCSO StrelaStealer 2022),(Citation: Trend Micro Waterbear December 2019),(Citation: Lotus Blossom Jun 2015),(Citation: Kaspersky Lyceum October 2021),(Citation: ProofPoint Ursnif Aug 2016),(Citation: CitizenLab KeyBoy Nov 2016),(Citation: Trustwave GoldenSpy2 June 2020),(Citation: Microsoft March 2025 XCSSET),(Citation: ANSSI Sandworm January 2021),(Citation: Symantec Security Center Trojan.Kwampirs),(Citation: Cybereason Oceanlotus May 2017),(Citation: fsecure NanHaiShu July 2016),(Citation: Mandiant ROADSWEEP August 2022),(Citation: ESET LightNeuron May 2019),(Citation: Medium S2W WhisperGate January 2022),(Citation: GitHub Sliver C2),(Citation: Citizen Lab Group5),(Citation: CheckPoint SpeakUp Feb 2019),(Citation: ESET Grandoreiro April 2020),(Citation: Chronicle Winnti for Linux May 2019),(Citation: Mandiant APT1 Appendix),(Citation: Securelist Darkhotel Aug 2015),(Citation: Proofpoint ZeroT Feb 2017),(Citation: Trend Micro DRBControl February 2020),(Citation: Novetta Blockbuster RATs),(Citation: SentinelLabs Metador Technical Appendix Sept 2022),(Citation: Qualys LolZarus),(Citation: ESET EvilNum July 2020),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: Mandiant Cutting Edge Part 2 January 2024),(Citation: Talos SamSam Jan 2018),(Citation: F-Secure Sofacy 2015),(Citation: Huntress LightSpy macOS 2024),(Citation: Sekoia Raccoon2 2022),(Citation: Unit 42 QUADAGENT July 2018),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: CISA Iran Albanian Attacks September 2022),(Citation: SentinelOne Aoqin Dragon June 2022),(Citation: ESET Turla Lunar toolset May 2024),(Citation: McAfee Lazarus Resurfaces Feb 2018),(Citation: Bitdefender Naikon April 2021),(Citation: Novetta Blockbuster Loaders),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Unit42 OilRig Playbook 2023),(Citation: MSTIC FoggyWeb September 2021),(Citation: ZScaler Squirrelwaffle Sep 2021),(Citation: NCC Group Fivehands June 2021),(Citation: Obfuscated scripts)

Read More: https://attack.mitre.org/techniques/T1027/013