LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

MITRE ATT&CK  /  T1027.013

T1027.013

Encrypted/Encoded File

SUB-TECHNIQUE Stealth

Description

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These …

Platforms

LinuxmacOSWindows

Mitigations

  • M1049 — Antivirus/Antimalware
  • M1040 — Behavior Prevention on Endpoint
Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →

Scroll to Top