Description
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the ... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) used Base64 to encode C2 traffic.(Citation: Cymmetria Patchwork) |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has encoded C2 traffic with Base64.(Citation: Mandiant APT42-untangling) |
| G0060 | BRONZE BUTLER | Several [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) tools encode data with base64 when posting it to a C2 server.(Citation: Secureworks BRO... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used encoded ASCII text for initial C2 communications.(Citation: Unit 42 Valak July 2020) |
| G0032 | Lazarus Group | A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018) |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro T... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWate... |
| G0073 | APT19 | An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant used Base64 to encode communications to the C2 server.(Citation: Unit 42 C0d0so... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail) |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020) |
Associated Software (113)
| ID | Name | Type | Context |
|---|---|---|---|
| S0610 | SideTwist | Malware | [SideTwist](https://attack.mitre.org/software/S0610) has used Base64 for encoded C2 traffic.(Citation: Check Point APT34 April 2021) |
| S0410 | Fysbis | Malware | [Fysbis](https://attack.mitre.org/software/S0410) can use Base64 to encode its C2 traffic.(Citation: Fysbis Dr Web Analysis) |
| S1021 | DnsSystem | Malware | [DnsSystem](https://attack.mitre.org/software/S1021) can Base64 encode data sent to C2.(Citation: Zscaler Lyceum DnsSystem June 2022) |
| S0045 | ADVSTORESHELL | Malware | C2 traffic from [ADVSTORESHELL](https://attack.mitre.org/software/S0045) is encrypted, then encoded with Base64 encoding.(Citation: Kaspersky Sofacy) |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) has encoded bidirectional data communications between a target system and C2 server using Base64.(C... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.(... |
| S0053 | SeaDuke | Malware | [SeaDuke](https://attack.mitre.org/software/S0053) C2 traffic is base64-encoded.(Citation: Unit 42 SeaDuke 2015) |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has Base64-encoded the message body of a HTTP request sent to C2.(Citation: Latrodectus APR 202... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) performs XOR encryption and Base64 encoding of data prior to sending to command and control i... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) has used Base64 to encode its C2 traffic.(Citation: Lunghi Iron Tiger Linux) |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used Base64 to encode C2 communications.(Citation: Cybereason Chaes Nov 2020) |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can Base32 encode chunks of output files during exfiltration.(Citation: Kaspersky Lyceum October 2021... |
| S0472 | down_new | Malware | [down_new](https://attack.mitre.org/software/S0472) has the ability to base64 encode C2 communications.(Citation: Trend Micro Tick November 2019) |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) has encoded C2 communications with Base64.(Citation: McAfee Lazarus Nov 2020) |
| S0044 | JHUHUGIT | Malware | A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant encodes C2 POST data base64.(Citation: Unit 42 Playbook Dec 2017) |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) used Base64 encoding in its C2 traffic.(Citation: FireEye SUNBURST Backdoor December 2020) |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can encode data using Base64 prior to exfiltration.(Citation: SentinelLabs Metador Technical Append... |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has encoded its C2 traffic with Base64.(Citation: FireEye SMOKEDHAM June 2021) |
| S1110 | SLIGHTPULSE | Malware | [SLIGHTPULSE](https://attack.mitre.org/software/S1110) can base64 encode all incoming and outgoing C2 messages.(Citation: Mandiant Pulse Secure Zero-D... |
| S0137 | CORESHELL | Malware | [CORESHELL](https://attack.mitre.org/software/S0137) C2 messages are Base64-encoded.(Citation: FireEye APT28) |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
- Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
Frequently Asked Questions
What is T1132.001 (Standard Encoding)?
T1132.001 is a MITRE ATT&CK technique named 'Standard Encoding'. It belongs to the Command and Control tactic(s). Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using...
How can T1132.001 be detected?
Detection of T1132.001 (Standard Encoding) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1132.001?
There are 1 documented mitigations for T1132.001. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1132.001?
Known threat groups using T1132.001 include: Sandworm Team, Patchwork, APT42, BRONZE BUTLER, TA551, Lazarus Group, Tropic Trooper, MuddyWater.