T1027.013 Sumo Logic CSE · Sumo

Detect Encrypted/Encoded File in Sumo Logic CSE

Adversaries encrypt or encode files to conceal malicious content and evade static signature detection. Techniques include XOR (single-byte and multi-byte), RC4, AES, 3DES, Base64, and custom encoding schemes applied to malware payloads, configuration files, C2 communication blobs, and dropped files. The full content or only specific values (such as C2 addresses or strings) may be obfuscated, sometimes in multiple redundant layers. Common delivery vectors include password-protected ZIP/Word documents and self-extracting (SFX) archives. Threat actors ranging from APT28 and Inception Group to ransomware families like Qilin and RansomHub consistently use encrypted/encoded files to defeat antivirus and EDR static analysis.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.013 Encrypted/Encoded File
Canonical reference
https://attack.mitre.org/techniques/T1027/013/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* (EventCode=1 OR EventCode=4688 OR EventCode=11)
| parse regex "(?i)(?:Image|NewProcessName)(?:\s*:\s*|\s+\-\>\s+|[><=:\s]+)(?<image>[^\s<\r\n]+)" nodrop
| parse regex "(?i)(?:CommandLine|Process Command Line)[><=:\s]+(?<commandline>[^\r\n<]+)" nodrop
| parse regex "(?i)TargetFilename[><=:\s]+(?<targetfilename>[^\r\n<]+)" nodrop
| parse regex "EventCode[><=:\s]+(?<eventcode>\d+)" nodrop
| where (
    (eventcode in ("1", "4688") and (
      (matches(image, "(?i).*certutil\.exe") and matches(commandline, "(?i).*-(decode|decodehex).*"))
      or (matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*FromBase64String.*") and matches(commandline, "(?i).*(Invoke-Expression|iex|IEX|&\\(|\.Invoke).*"))
      or (matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*bxor.*"))
      or (matches(image, "(?i).*(7z|7za|winrar|wrar)\.exe") and matches(commandline, ".*-p\\S+.*"))
      or (matches(image, "(?i).*(mshta|wscript|cscript)\.exe") and matches(commandline, "(?i).*(Base64|FromBase64|bxor|Encoding).*"))
    ))
    or (eventcode = "11" and
      matches(targetfilename, "(?i).*\\\\(Temp|AppData|ProgramData)\\\\.*\\.(bin|dat|enc|tmp)")
      and matches(image, "(?i).*(powershell|cmd|wscript|cscript|mshta)\.exe")
    )
  )
| eval detection_type = if(
    matches(image, "(?i).*certutil\.exe") and matches(commandline, "(?i).*decode.*"),
    "certutil_decode",
    if(
      matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*bxor.*"),
      "powershell_xor_decode",
      if(
        matches(image, "(?i).*powershell\.exe") and matches(commandline, "(?i).*FromBase64String.*"),
        "powershell_b64_decode_exec",
        if(
          matches(image, "(?i).*(7z|7za|winrar|wrar)\.exe"),
          "password_protected_archive",
          if(
            matches(image, "(?i).*(mshta|wscript|cscript)\.exe"),
            "scripting_engine_encoded_exec",
            "suspicious_encoded_file_drop"
          )
        )
      )
    )
  )
| eval risk_score = if(detection_type = "powershell_b64_decode_exec", 85,
    if(detection_type = "powershell_xor_decode", 80,
    if(detection_type = "certutil_decode", 75,
    if(detection_type = "scripting_engine_encoded_exec", 75,
    if(detection_type = "suspicious_encoded_file_drop", 60, 55)))))
| fields _messageTime, _sourceHost, detection_type, risk_score, image, commandline, targetfilename
| sort by risk_score desc
high severity high confidence

Sumo Logic query for T1027.013 processing Windows Sysmon Event ID 1 (process creation), Windows Security Event 4688 (new process auditing), and Sysmon Event ID 11 (file creation) from *windows* source categories. Uses parse regex to extract process image, command line, and target filename fields, then classifies detections into six subtypes with associated risk scores. Covers the full behavioral surface: certutil decode, PowerShell Base64-to-exec chains, PowerShell XOR (-bxor), password-protected archive extraction, scripting engine encoded execution, and encoded file staging drops.

Data Sources

Sumo Logic Cloud SIEMSumo Logic Installed Collector with Windows SourceSysmon via Sumo Logic Installed Collector

Required Tables

_sourceCategory=*windows*

False Positives & Tuning

  • Enterprise IT automation (SCCM, Microsoft Intune, Ansible Tower) frequently issues PowerShell with Base64-encoded command payloads for cross-device configuration management, particularly during scheduled maintenance windows, causing high-volume false positives on managed endpoints
  • Security operations tooling and EDR agents (CrowdStrike Falcon, SentinelOne, Carbon Black) may drop .dat or .bin encoded configuration, signature, or telemetry cache files to AppData or ProgramData directories as part of normal agent operation
  • Software developers and DevSecOps engineers running local CI/CD pipelines, build scripts, or testing frameworks may invoke certutil, PowerShell encoding functions, or password-protected archive tools as part of development workflows on non-production workstations
Download portable Sigma rule (.yml)

Other platforms for T1027.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Base64 Encode, Drop, and Decode with certutil

    Expected signal: Sysmon EventCode 1 (ProcessCreate) for certutil.exe with '-decode' in CommandLine. EventCode 11 for both the .b64 source file and decoded output file creation in %TEMP%.

  2. Test 2PowerShell XOR Decryption Simulating Single-Byte XOR Malware

    Expected signal: Sysmon EventCode 1 (ProcessCreate) for powershell.exe. PowerShell Script Block Logging EventCode 4104 will capture the deobfuscated script including the -bxor operator and Invoke-Expression call.

  3. Test 3Password-Protected ZIP Delivery and Extraction

    Expected signal: Sysmon EventCode 1 for 7z.exe invocations with '-p' flag in CommandLine. EventCode 11 for .zip creation and extracted file creation in %TEMP%.

  4. Test 4Base64 Blob Decode and Execute via PowerShell

    Expected signal: Sysmon EventCode 1 for powershell.exe. PowerShell Script Block Logging EventCode 4104 will capture both the FromBase64String call and the decoded Invoke-Expression content — this is the primary high-value telemetry source.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1027.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Same Tactic: Defense Evasion

Popular Detections