From ab7835d6344ad75938b60f3a0fec68386d13a4b7 Mon Sep 17 00:00:00 2001
From: koyoresearch <59782993+koyoresearch@users.noreply.github.com>
Date: Thu, 17 Jul 2025 19:23:03 -0400
Subject: [PATCH] Create t1027.013_encoded_file.yaml (#3148)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1027.013/T1027.013.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 atomics/T1027.013/T1027.013.yaml

diff --git a/atomics/T1027.013/T1027.013.yaml b/atomics/T1027.013/T1027.013.yaml
new file mode 100644
index 00000000..ac972834
--- /dev/null
+++ b/atomics/T1027.013/T1027.013.yaml
@@ -0,0 +1,20 @@
+attack_technique: T1027.013
+display_name: 'Obfuscated Files or Information: Encrypted/Encoded File'
+atomic_tests:
+- name: T1027.013 Encrypted/Encoded File
+  description: Decode the eicar value, and write it to file, for AV/EDR to try to catch.
+  supported_platforms:
+    - windows
+    - macos
+    - linux
+  executor:
+    command: |-
+      $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+      $bytes = [System.Convert]::FromBase64String($encodedString)
+      $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+      #write the decoded eicar string to file
+      $decodedString | Out-File T1027.013_decodedEicar.txt
+    cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+    name: powershell
+    elevation_required: false