Detect Encrypted/Encoded File in IBM QRadar
Adversaries encrypt or encode files to conceal malicious content and evade static signature detection. Techniques include XOR (single-byte and multi-byte), RC4, AES, 3DES, Base64, and custom encoding schemes applied to malware payloads, configuration files, C2 communication blobs, and dropped files. The full content or only specific values (such as C2 addresses or strings) may be obfuscated, sometimes in multiple redundant layers. Common delivery vectors include password-protected ZIP/Word documents and self-extracting (SFX) archives. Threat actors ranging from APT28 and Inception Group to ransomware families like Qilin and RansomHub consistently use encrypted/encoded files to defeat antivirus and EDR static analysis.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.013 Encrypted/Encoded File
- Canonical reference
- https://attack.mitre.org/techniques/T1027/013/
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
"Image",
"CommandLine",
"TargetFilename",
"ParentImage",
CASE
WHEN LOWER("Image") LIKE '%certutil.exe%' AND (LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-decodehex%') THEN 'certutil_decode'
WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex%' OR LOWER("CommandLine") LIKE '%&(%') THEN 'powershell_b64_decode_exec'
WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%' THEN 'powershell_xor_decode'
WHEN (LOWER("Image") LIKE '%7z.exe%' OR LOWER("Image") LIKE '%7za.exe%' OR LOWER("Image") LIKE '%winrar.exe%' OR LOWER("Image") LIKE '%wrar.exe%') AND "CommandLine" LIKE '%-p%' THEN 'password_protected_archive'
WHEN (LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%') AND (LOWER("CommandLine") LIKE '%base64%' OR LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%encoding%') THEN 'scripting_engine_encoded_exec'
WHEN (LOWER("TargetFilename") LIKE '%\temp\%' OR LOWER("TargetFilename") LIKE '%\appdata\%' OR LOWER("TargetFilename") LIKE '%\programdata\%') AND (LOWER("TargetFilename") LIKE '%.bin' OR LOWER("TargetFilename") LIKE '%.dat' OR LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.tmp') AND (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%cmd.exe%') THEN 'suspicious_encoded_file_drop'
ELSE 'unclassified'
END AS detection_type,
CASE
WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' THEN 85
WHEN LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%' THEN 80
WHEN LOWER("Image") LIKE '%certutil.exe%' THEN 75
WHEN LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' THEN 75
WHEN LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.bin' THEN 60
ELSE 55
END AS risk_score
FROM events
WHERE (
(LOWER("Image") LIKE '%certutil.exe%' AND (LOWER("CommandLine") LIKE '%-decode%' OR LOWER("CommandLine") LIKE '%-decodehex%'))
OR (LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%frombase64string%' AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex%' OR LOWER("CommandLine") LIKE '%&(%'))
OR (LOWER("Image") LIKE '%powershell.exe%' AND LOWER("CommandLine") LIKE '%bxor%')
OR ((LOWER("Image") LIKE '%7z.exe%' OR LOWER("Image") LIKE '%7za.exe%' OR LOWER("Image") LIKE '%winrar.exe%' OR LOWER("Image") LIKE '%wrar.exe%') AND "CommandLine" LIKE '%-p%')
OR ((LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%') AND (LOWER("CommandLine") LIKE '%base64%' OR LOWER("CommandLine") LIKE '%bxor%' OR LOWER("CommandLine") LIKE '%encoding%'))
OR ((LOWER("TargetFilename") LIKE '%\temp\%' OR LOWER("TargetFilename") LIKE '%\appdata\%' OR LOWER("TargetFilename") LIKE '%\programdata\%') AND (LOWER("TargetFilename") LIKE '%.bin' OR LOWER("TargetFilename") LIKE '%.dat' OR LOWER("TargetFilename") LIKE '%.enc' OR LOWER("TargetFilename") LIKE '%.tmp') AND (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%cmd.exe%'))
)
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURSIBM QRadar AQL query for T1027.013 correlating Windows Sysmon process creation (EventCode 1) and file creation (EventCode 11) with Windows Security audit process events (EventCode 4688). Classifies detections into subtypes with risk scores: certutil decode (75), PowerShell XOR via bxor (80), PowerShell Base64+exec chain (85), password-protected archive extraction (55), scripting engine encoded exec (75), and suspicious encoded file drops to staging paths (60).
Data Sources
Required Tables
False Positives & Tuning
- System administrators using certutil.exe for routine certificate encoding/decoding operations during PKI provisioning, certificate renewal, or CRL distribution tasks will trigger certutil_decode detections
- Automated configuration management tools (SCCM task sequences, Ansible playbooks, Puppet manifests) that invoke PowerShell with Base64-encoded command strings will generate persistent powershell_b64_decode_exec detections, particularly during patch cycles
- Enterprise backup and archiving solutions (Veeam, Acronis, Veritas) configured to use WinRAR or 7-Zip with encryption passwords for backup set protection will consistently trigger password_protected_archive detections on backup agent hosts
Other platforms for T1027.013
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Base64 Encode, Drop, and Decode with certutil
Expected signal: Sysmon EventCode 1 (ProcessCreate) for certutil.exe with '-decode' in CommandLine. EventCode 11 for both the .b64 source file and decoded output file creation in %TEMP%.
- Test 2PowerShell XOR Decryption Simulating Single-Byte XOR Malware
Expected signal: Sysmon EventCode 1 (ProcessCreate) for powershell.exe. PowerShell Script Block Logging EventCode 4104 will capture the deobfuscated script including the -bxor operator and Invoke-Expression call.
- Test 3Password-Protected ZIP Delivery and Extraction
Expected signal: Sysmon EventCode 1 for 7z.exe invocations with '-p' flag in CommandLine. EventCode 11 for .zip creation and extracted file creation in %TEMP%.
- Test 4Base64 Blob Decode and Execute via PowerShell
Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 will capture both the FromBase64String call and the decoded Invoke-Expression content — this is the primary high-value telemetry source.
References (7)
- https://attack.mitre.org/techniques/T1027/013
- https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/
- https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
- https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation
- https://securelist.com/the-darkhotel-apt/66779/
- https://unit42.paloaltonetworks.com/sofacy-attacks-multiple-government-entities/
- https://www.secureworks.com/research/threat-profiles/gold-southfield
Unlock Pro Content
Get the full detection package for T1027.013 including response playbook, investigation guide, and atomic red team tests.