T1027.013
Obfuscated Files or Information: Encrypted/Encoded File
Description from ATT&CK
Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).(Citation: SFX - Encrypted/Encoded File)
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.
Atomic Tests
- Atomic Test #1: Decode Eicar File and Write to File
- Atomic Test #2: Decrypt Eicar File and Write to File
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution
Atomic Test #1: Decode Eicar File and Write to File
Decode the eicar value, and write it to file, for AV/EDR to try to catch.
Supported Platforms: Windows, macOS, Linux
auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
Attack Commands: Run with powershell!
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File T1027.013_decodedEicar.txtCleanup Commands
Just delete the resulting T1027.013_decodedEicar.txt file.Atomic Test #2: Decrypt Eicar File and Write to File
Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
Supported Platforms: Windows, macOS, Linux
auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
Attack Commands: Run with powershell!
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | out-file T1027.013_decryptedEicar.txtCleanup Commands
Just delete the resulting T1027.013_decryptedEicar.txt file.Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution
Extracts and executes a script from a password-protected ZIP archive. This technique is commonly used by malware families like Emotet and QBot to deliver payloads via email attachments where the password is provided in the message body. The encrypted ZIP evades static file analysis until extracted at runtime. Upon successful execution, displays confirmation and system information.
Supported Platforms: Linux, macOS
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| zip_password | Password used to protect the ZIP archive | String | infected |
Attack Commands: Run with bash!
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.shCleanup Commands
rm -f /tmp/art_payload.sh
rm -f /tmp/art_encrypted.zipDependencies: Run with bash!
Description: zip and unzip must be installed
Check Prereq Commands
which zip && which unzipGet Prereq Commands
echo "Install zip and unzip using your package manager (apt-get, yum, or brew)"Atomic test(s) for this technique last updated: 2026-03-18 05:07:16 UTC