title: Encrypted/Encoded File (T1027.013)
id: df00tech-t1027-013
status: experimental
description: "Adversaries encrypt or encode files to conceal malicious content and evade static signature detection. Techniques include XOR (single-byte and multi-byte), RC4, AES, 3DES, Base64, and custom encoding schemes applied to malware payloads, configuration files, C2 communication blobs, and dropped files. The full content or only specific values (such as C2 addresses or strings) may be obfuscated, sometimes in multiple redundant layers. Common delivery vectors include password-protected ZIP/Word documents and self-extracting (SFX) archives. Threat actors ranging from APT28 and Inception Group to ransomware families like Qilin and RansomHub consistently use encrypted/encoded files to defeat antivirus and EDR static analysis."
references:
  - https://attack.mitre.org/techniques/T1027/013/
  - https://df00tech.com/detections/T1027.013
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Unknown
level: medium