Description
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).(Citation: SFX - Encrypted/Encoded File)
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.
Platforms
Mitigations (2)
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.
Behavior Prevention on EndpointM1040
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Obfuscated scripts)
Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices.
Threat Groups (40)
| ID | Group | Context |
|---|---|---|
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Ka... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) has obfuscated strings in [Bandook](https://attack.mitre.org/software/S0234) by base64 encoding,... |
| G0066 | Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012) |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Mic... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transp... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) encrypted a .dll payload using RTL and a custom encryption algorithm. [APT28](https://attack.mitre.org/... |
| G0026 | APT18 | [APT18](https://attack.mitre.org/groups/G0026) obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has obfuscated code using base64.(Citation: Proofpoint Leviathan Oct 2017) |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple types of encryption and encoding for their payloads, including AES, Caracachs... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) initial payloads included encoded follow-on payloads located in the resources file of the first-st... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated code within files by converting hexadecimal strings to decimal numbers using the `CLng... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017) |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higai... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used Base64 to obfuscate payloads.(Citation: FireEye APT19) |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used encoded and obfuscated files, images, and executables.(Citation: Kaspersky BlindEagle AUG 2... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor Septembe... |
Associated Software (193)
| ID | Name | Type | Context |
|---|---|---|---|
| S1052 | DEADEYE | Malware | [DEADEYE](https://attack.mitre.org/software/S1052) has encrypted its payload.(Citation: Mandiant APT41) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can employ several code obfuscation methods, including renaming functions, altering control flows, an... |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) has been Base64 encoded and AES encrypted.(Citation: McAfee Lazarus Nov 2020) |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citatio... |
| S0136 | USBStealer | Malware | Most strings in [USBStealer](https://attack.mitre.org/software/S0136) are encrypted using 3DES and XOR and reversed.(Citation: ESET Sednit USBStealer ... |
| S0082 | Emissary | Malware | Variants of [Emissary](https://attack.mitre.org/software/S0082) encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses th... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) strings are XOR-encrypted.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo ... |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487)'s configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 20... |
| S0565 | Raindrop | Malware | [Raindrop](https://attack.mitre.org/software/S0565) encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAIN... |
| S0433 | Rifdoor | Malware | [Rifdoor](https://attack.mitre.org/software/S0433) has encrypted strings with a single byte XOR algorithm.(Citation: Carbon Black HotCroissant April 2... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) can use encrypted and encoded files for C2 configuration.(Citation: ClearSky Siamesekitten August 202... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif ... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has encrypted all strings in the code using position independent XOR encryption.(Citation: Cloud... |
| S1150 | ROADSWEEP | Malware | The [ROADSWEEP](https://attack.mitre.org/software/S1150) binary contains RC4 encrypted embedded scripts.(Citation: Mandiant ROADSWEEP August 2022)(Cit... |
| S1233 | PAKLOG | Malware | [PAKLOG](https://attack.mitre.org/software/S1233) has utilized a simple encoding mechanism to encode characters in the buffer.(Citation: Zscaler PAKLO... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) has an encrypted configuration file.(Citation: Group-IB RansomHub FEB 2025) |
| S1100 | Ninja | Malware | The [Ninja](https://attack.mitre.org/software/S1100) payload is XOR encrypted and compressed.(Citation: Kaspersky ToddyCat Check Logs October 2023) [N... |
| S0391 | HAWKBALL | Malware | [HAWKBALL](https://attack.mitre.org/software/S0391) has encrypted the payload with an XOR-based algorithm.(Citation: FireEye HAWKBALL Jun 2019) |
| S0468 | Skidmap | Malware | [Skidmap](https://attack.mitre.org/software/S0468) has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap) |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelis... |
References
- Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.
- Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.
Frequently Asked Questions
What is T1027.013 (Encrypted/Encoded File)?
T1027.013 is a MITRE ATT&CK technique named 'Encrypted/Encoded File'. It belongs to the Stealth tactic(s). Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within...
How can T1027.013 be detected?
Detection of T1027.013 (Encrypted/Encoded File) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.013?
There are 2 documented mitigations for T1027.013. Key mitigations include: Antivirus/Antimalware, Behavior Prevention on Endpoint.
Which threat groups use T1027.013?
Known threat groups using T1027.013 include: Inception, Dark Caracal, Elderwood, Darkhotel, Transparent Tribe, APT28, APT18, Leviathan.