EXPLORE
Sign In
← Back to Explore
T1027.013

Encrypted/Encoded File

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Enc...

LinuxmacOSWindows
7
Detections
3
Sources
37
Threat Actors

BY SOURCE

5elastic1crowdstrike_cql1splunk_escu

PROCEDURES (7)

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Evasion1 detections

Auto-extracted: 1 detections for evasion

Evasion1 detections

Auto-extracted: 1 detections for evasion

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (37)

APT18APT19APT28APT32APT33APT39BITTERBlue MockingbirdContagious InterviewDark CaracalDarkhotelElderwoodFox KittenGroup5HigaisaInceptionLazarus GroupLeviathanMagic HoundMalteiromenuPassMetadorMofangMoonstone SleetMoses StaffOilRigPutter PandaSaint BearSidewinderStorm-1811TA2541TA505TeamTNTThreat Group-3390Transparent TribeTropic TrooperWhitefly

DETECTIONS (7)

Data Encrypted via OpenSSL Utility
elasticlow
Deprecated - Encoded Executable Stored in the Registry
elasticmedium
LOLBin Certutil
crowdstrike_cql
PowerShell Script with Encryption/Decryption Capabilities
elasticmedium
ROT Encoded Python Script Execution
elasticmedium
Suspicious Portable Executable Encoded in Powershell Script
elasticmedium
Windows Obfuscated Files or Information via RAR SFX
splunk_escu