DET0087 Encrypted or Encoded File Payload Detection Strategy
| Item |
Value |
| ID |
DET0087 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1027.013 (Encrypted/Encoded File)
Analytics
Windows
AN0237
Detection of processes that load or decode encrypted/encoded files in memory and subsequently execute or inject them, indicating payload unpacking or memory-resident malware.
Log Sources
Mutable Elements
| Field |
Description |
| Image |
Path of decoder utilities (e.g., certutil.exe, powershell.exe) can vary across environments. |
| CommandLine |
Base64/hex strings used may change per encoded payload. |
| TimeWindow |
The duration between file decode and execution may differ across implementations. |
Linux
AN0238
Detection of suspicious use of shell utilities or scripts that decode or decrypt a payload and execute it without writing to disk.
Log Sources
Mutable Elements
| Field |
Description |
| UserContext |
Normal usage of base64, openssl, or gpg varies by user/role. |
| ProcessLineage |
Parent-child process chains may differ across deployments. |
| TimeWindow |
Time between decode and execution is implementation-specific. |
macOS
AN0239
Detection of encoded payloads being decoded and executed in-memory using scripting tools or third-party decoders.
Log Sources
Mutable Elements
| Field |
Description |
| ScriptContent |
Encoded payload content varies across adversaries. |
| ExecutionChain |
Sequence of tools or scripts executed can differ. |
| UserContext |
May depend on whether user is admin, daemon, or system account. |