T1027.013

Encrypted/Encoded File

Adversaries encrypt or encode files to conceal malicious content and evade static signature detection. Techniques include XOR (single-byte and multi-byte), RC4, AES, 3DES, Base64, and custom encoding schemes applied to malware payloads, configuration files, C2 communication blobs, and dropped files. The full content or only specific values (such as C2 addresses or strings) may be obfuscated, sometimes in multiple redundant layers. Common delivery vectors include password-protected ZIP/Word documents and self-extracting (SFX) archives. Threat actors ranging from APT28 and Inception Group to ransomware families like Qilin and RansomHub consistently use encrypted/encoded files to defeat antivirus and EDR static analysis.

Microsoft Sentinel / Defender

kusto

// T1027.013 - Encrypted/Encoded File
// Detect execution patterns associated with decoding/decrypting payloads at runtime
let EncodedPayloadExecution = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (
    // certutil decoding Base64 or hex-encoded files
    (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-decode", "-decodehex", "decode"))
    // PowerShell decoding Base64 blobs and executing
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("[Convert]::FromBase64String", "FromBase64String", "System.Convert") and ProcessCommandLine has_any ("Invoke-Expression", "iex", "IEX", "&(", ".Invoke"))
    // expand/extract SFX or password-protected archives via common tools
    or (FileName in~ ("7z.exe", "7za.exe", "winrar.exe", "wrar.exe") and ProcessCommandLine has_any ("-p", "-p\"", "x ") and ProcessCommandLine matches regex @"-p\S+")
    // XOR decode pattern: PowerShell with bxor operator
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-bxor", "bxor"))
    // mshta/wscript executing content that was previously decoded
    or (FileName in~ ("mshta.exe", "wscript.exe", "cscript.exe") and ProcessCommandLine has_any ("Base64", "FromBase64", "bxor", "Encoding"))
)
| extend DetectionType = case(
    FileName =~ "certutil.exe", "certutil_decode",
    FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-bxor", "bxor"), "powershell_xor_decode",
    FileName =~ "powershell.exe", "powershell_base64_decode_exec",
    FileName in~ ("7z.exe", "7za.exe", "winrar.exe", "wrar.exe"), "password_protected_archive_extract",
    "encoded_content_execution"
);
let SuspiciousFileWrites = DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\ProgramData\\")
| where FileName endswith ".bin" or FileName endswith ".dat" or FileName endswith ".tmp" or FileName endswith ".cfg" or FileName endswith ".enc"
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend DetectionType = "suspicious_encoded_file_drop";
EncodedPayloadExecution
| union SuspiciousFileWrites
| project-reorder Timestamp, DeviceName, DetectionType, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

severity confidence

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      (process.name : "certutil.exe" and process.command_line : ("*-decode*", "*-decodehex*"))
      or (process.name : "powershell.exe" and process.command_line : "*FromBase64String*" and process.command_line : ("*Invoke-Expression*", "*iex*", "*IEX*", "*&(*", "*.Invoke*"))
      or (process.name : "powershell.exe" and process.command_line : "*bxor*")
      or (process.name : ("7z.exe", "7za.exe", "winrar.exe", "wrar.exe") and process.command_line regex~ "-p\\S+")
      or (process.name : ("mshta.exe", "wscript.exe", "cscript.exe") and process.command_line : ("*Base64*", "*FromBase64*", "*bxor*", "*Encoding*"))
    )
  )
  or
  (
    event.category == "file" and event.type : ("creation", "change") and
    file.extension : ("bin", "dat", "tmp", "cfg", "enc") and
    file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*") and
    process.name : ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

IT administrators legitimately invoke certutil.exe -decode for PKI certificate management, decoding Base64-encoded certificate bundles or CRL files as part of routine PKI operations
Enterprise software deployment pipelines (SCCM, Intune MDM, Ansible, DSC) routinely use PowerShell with [Convert]::FromBase64String to pass encoded configuration payloads, producing high-volume powershell_b64_decode_exec matches during deployment windows
Patch management and software packaging solutions (PDQ Deploy, Chocolatey, NSIS installers) commonly produce password-protected 7z or WinRAR archives and drop encoded config or cache files to %TEMP% and %ProgramData% during installation sequences

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       LOGSOURCENAME(logsourceid) AS log_source,
       sourceip,
       username,
       "Image",
       "CommandLine",
       "TargetFilename",
       "ParentImage",
       CASE
         WHEN LOWER("Image") LIKE '%certutil.exe%' AND (LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-decodehex%') THEN 'certutil_decode'
         WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex%' OR LOWER("CommandLine") LIKE '%&(%') THEN 'powershell_b64_decode_exec'
         WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%' THEN 'powershell_xor_decode'
         WHEN (LOWER("Image") LIKE '%7z.exe%' OR LOWER("Image") LIKE '%7za.exe%' OR LOWER("Image") LIKE '%winrar.exe%' OR LOWER("Image") LIKE '%wrar.exe%') AND "CommandLine" LIKE '%-p%' THEN 'password_protected_archive'
         WHEN (LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%') AND (LOWER("CommandLine") LIKE '%base64%' OR LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%encoding%') THEN 'scripting_engine_encoded_exec'
         WHEN (LOWER("TargetFilename") LIKE '%\temp\%' OR LOWER("TargetFilename") LIKE '%\appdata\%' OR LOWER("TargetFilename") LIKE '%\programdata\%') AND (LOWER("TargetFilename") LIKE '%.bin' OR LOWER("TargetFilename") LIKE '%.dat' OR LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.tmp') AND (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%cmd.exe%') THEN 'suspicious_encoded_file_drop'
         ELSE 'unclassified'
       END AS detection_type,
       CASE
         WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' THEN 85
         WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%' THEN 80
         WHEN LOWER("Image") LIKE '%certutil.exe%' THEN 75
         WHEN LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' THEN 75
         WHEN LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.bin' THEN 60
         ELSE 55
       END AS risk_score
FROM events
WHERE (
    (LOWER("Image") LIKE '%certutil.exe%' AND (LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-decodehex%'))
    OR (LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex%' OR LOWER("CommandLine") LIKE '%&(%'))
    OR (LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%')
    OR ((LOWER("Image") LIKE '%7z.exe%' OR LOWER("Image") LIKE '%7za.exe%' OR LOWER("Image") LIKE '%winrar.exe%' OR LOWER("Image") LIKE '%wrar.exe%') AND "CommandLine" LIKE '%-p%')
    OR ((LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%') AND (LOWER("CommandLine") LIKE '%base64%' OR LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%encoding%'))
    OR ((LOWER("TargetFilename") LIKE '%\temp\%' OR LOWER("TargetFilename") LIKE '%\appdata\%' OR LOWER("TargetFilename") LIKE '%\programdata\%') AND (LOWER("TargetFilename") LIKE '%.bin' OR LOWER("TargetFilename") LIKE '%.dat' OR LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.tmp') AND (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%cmd.exe%'))
  )
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

System administrators using certutil.exe for routine certificate encoding/decoding operations during PKI provisioning, certificate renewal, or CRL distribution tasks will trigger certutil_decode detections
Automated configuration management tools (SCCM task sequences, Ansible playbooks, Puppet manifests) that invoke PowerShell with Base64-encoded command strings will generate persistent powershell_b64_decode_exec detections, particularly during patch cycles
Enterprise backup and archiving solutions (Veeam, Acronis, Veritas) configured to use WinRAR or 7-Zip with encryption passwords for backup set protection will consistently trigger password_protected_archive detections on backup agent hosts

Sumo Logic CSE

sql

_sourceCategory=*windows* (EventCode=1 OR EventCode=4688 OR EventCode=11)
| parse regex "(?i)(?:Image|NewProcessName)(?:\s*:\s*|\s+\-\>\s+|[><=:\s]+)(?<image>[^\s<\r\n]+)" nodrop
| parse regex "(?i)(?:CommandLine|Process Command Line)[><=:\s]+(?<commandline>[^\r\n<]+)" nodrop
| parse regex "(?i)TargetFilename[><=:\s]+(?<targetfilename>[^\r\n<]+)" nodrop
| parse regex "EventCode[><=:\s]+(?<eventcode>\d+)" nodrop
| where (
    (eventcode in ("1", "4688") and (
      (matches(image, "(?i).*certutil\.exe") and matches(commandline, "(?i).*-(decode|decodehex).*"))
      or (matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*FromBase64String.*") and matches(commandline, "(?i).*(Invoke-Expression|iex|IEX|&\\(|\.Invoke).*"))
      or (matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*bxor.*"))
      or (matches(image, "(?i).*(7z|7za|winrar|wrar)\.exe") and matches(commandline, ".*-p\\S+.*"))
      or (matches(image, "(?i).*(mshta|wscript|cscript)\.exe") and matches(commandline, "(?i).*(Base64|FromBase64|bxor|Encoding).*"))
    ))
    or (eventcode = "11" and
      matches(targetfilename, "(?i).*\\\\(Temp|AppData|ProgramData)\\\\.*\\.(bin|dat|enc|tmp)")
      and matches(image, "(?i).*(powershell|cmd|wscript|cscript|mshta)\.exe")
    )
  )
| eval detection_type = if(
    matches(image, "(?i).*certutil\.exe") and matches(commandline, "(?i).*decode.*"),
    "certutil_decode",
    if(
      matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*bxor.*"),
      "powershell_xor_decode",
      if(
        matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*FromBase64String.*"),
        "powershell_b64_decode_exec",
        if(
          matches(image, "(?i).*(7z|7za|winrar|wrar)\.exe"),
          "password_protected_archive",
          if(
            matches(image, "(?i).*(mshta|wscript|cscript)\.exe"),
            "scripting_engine_encoded_exec",
            "suspicious_encoded_file_drop"
          )
        )
      )
    )
  )
| eval risk_score = if(detection_type = "powershell_b64_decode_exec", 85,
    if(detection_type = "powershell_xor_decode", 80,
    if(detection_type = "certutil_decode", 75,
    if(detection_type = "scripting_engine_encoded_exec", 75,
    if(detection_type = "suspicious_encoded_file_drop", 60, 55)))))
| fields _messageTime, _sourceHost, detection_type, risk_score, image, commandline, targetfilename
| sort by risk_score desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Installed Collector with Windows Source Sysmon via Sumo Logic Installed Collector

Required Tables

_sourceCategory=*windows*

False Positives

Enterprise IT automation (SCCM, Microsoft Intune, Ansible Tower) frequently issues PowerShell with Base64-encoded command payloads for cross-device configuration management, particularly during scheduled maintenance windows, causing high-volume false positives on managed endpoints
Security operations tooling and EDR agents (CrowdStrike Falcon, SentinelOne, Carbon Black) may drop .dat or .bin encoded configuration, signature, or telemetry cache files to AppData or ProgramData directories as part of normal agent operation
Software developers and DevSecOps engineers running local CI/CD pipelines, build scripts, or testing frameworks may invoke certutil, PowerShell encoding functions, or password-protected archive tools as part of development workflows on non-production workstations

Google Chronicle / SecOps

yaral

rule T1027_013_Encrypted_Encoded_File_Execution {
  meta:
    author = "Detection Engineering"
    description = "Detects runtime payload decoding and encrypted/encoded file execution patterns associated with T1027.013 Encrypted/Encoded File. Covers certutil decode, PowerShell Base64+exec chains, XOR decode via bxor, password-protected archive extraction via 7z/WinRAR, and scripting engine execution of encoded content."
    mitre_attack_technique = "T1027.013"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1027/013/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"

    (
      (
        re.regex($proc.target.process.file.full_path, `(?i)certutil\.exe$`) and
        re.regex($proc.target.process.command_line, `(?i)-(decode|decodehex)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)powershell\.exe$`) and
        re.regex($proc.target.process.command_line, `(?i)FromBase64String`) and
        re.regex($proc.target.process.command_line, `(?i)(Invoke-Expression|\biex\b|&\(|\.Invoke)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)powershell\.exe$`) and
        re.regex($proc.target.process.command_line, `(?i)\bbxor\b`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)(7z|7za|winrar|wrar)\.exe$`) and
        re.regex($proc.target.process.command_line, `-p\S+`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)(mshta|wscript|cscript)\.exe$`) and
        re.regex($proc.target.process.command_line, `(?i)(Base64|FromBase64|\bbxor\b|Encoding)`)
      )
    )

  condition:
    $proc
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle Forwarder CrowdStrike Falcon via Chronicle Integration SentinelOne via Chronicle Integration

Required Tables

UDM Events

False Positives

Automated software provisioning and configuration management systems (Ansible, Chef, Puppet, Terraform remote-exec, SCCM) generate frequent PROCESS_LAUNCH events for powershell.exe with FromBase64String in the command line as an expected operational pattern on managed servers
Security awareness and red team training platforms that demonstrate obfuscation techniques (Base64, XOR, certutil abuse) in controlled sandbox environments will produce high-fidelity but expected matches during training exercises
Enterprise software distribution tooling using WinRAR or 7-Zip with password-protected archives for secure patch delivery (particularly in air-gapped or high-security environments) will trigger the password-protected archive extraction pattern on software distribution servers and endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| (
    (FileName = /(?i)certutil\.exe/ AND CommandLine = /(?i)-(decode|decodehex)/)
    OR (FileName = /(?i)powershell\.exe/ AND CommandLine = /(?i)FromBase64String/ AND CommandLine = /(?i)(Invoke-Expression|\biex\b|&\(|\.Invoke)/)
    OR (FileName = /(?i)powershell\.exe/ AND CommandLine = /(?i)\bbxor\b/)
    OR (FileName = /(?i)(7z|7za|winrar|wrar)\.exe/ AND CommandLine = /-p\S+/)
    OR (FileName = /(?i)(mshta|wscript|cscript)\.exe/ AND CommandLine = /(?i)(Base64|FromBase64|\bbxor\b|Encoding)/)
  )
| case {
    FileName = /(?i)certutil\.exe/ |
      detection_type := "certutil_decode" |
      risk_score := 75;
    FileName = /(?i)powershell\.exe/ AND CommandLine = /(?i)\bbxor\b/ |
      detection_type := "powershell_xor_decode" |
      risk_score := 80;
    FileName = /(?i)powershell\.exe/ |
      detection_type := "powershell_b64_decode_exec" |
      risk_score := 85;
    FileName = /(?i)(7z|7za|winrar|wrar)\.exe/ |
      detection_type := "password_protected_archive" |
      risk_score := 55;
    * |
      detection_type := "scripting_engine_encoded_exec" |
      risk_score := 75
  }
| table(
    [timestamp, ComputerName, UserName, UserSid, detection_type, risk_score,
     FileName, CommandLine, ParentBaseFileName, SHA256HashData]
  )
| sort(field=risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2 FileCreateInfo

False Positives

CrowdStrike Falcon sensor policy deployment and RTR (Real Time Response) operations may internally invoke PowerShell with encoded parameters on managed endpoints, producing matches for powershell_b64_decode_exec that originate from the Falcon sensor process tree
Enterprise software packaging workflows using tools like Chocolatey, Scoop, or WinGet wrappers that call certutil for checksum verification or invoke 7z/WinRAR with password-protected archives during application installation will trigger certutil_decode and password_protected_archive detections on software distribution hosts
Authorized red team engagements and Atomic Red Team test executions (e.g., T1027.013 atomics using certutil, PowerShell FromBase64String with IEX, or -bxor patterns) will produce true-positive-equivalent alerts during scheduled test windows — correlate with change management records to suppress

Last updated: 2026-04-13 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Encrypted/Encoded File

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections