Description
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding)
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated HTTP Post request communications utilizing XOR with a designated key, followed by Base... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0346 | OceanSalt | Malware | [OceanSalt](https://attack.mitre.org/software/S0346) can encode data with a NOT operation before sending the data to the control server.(Citation: McA... |
| S1035 | Small Sieve | Malware | [Small Sieve](https://attack.mitre.org/software/S1035) can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.(Citation: DHS ... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has encoded a payload with a random 32-byte key using XOR.(Citation: 2022 November_TrendMicro_Ear... |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) has used a non-standard encoding in DNS tunneling removing any `=` from the result of base64 enco... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can communicate with the C2 via subdomains that utilize base64 with character substitutions.(Citation:... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation:... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters ... |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) can use modified Base64 encoding to obfuscate communications.(Citation: GitHub Neo-reGeorg 2019... |
| S0031 | BACKSPACE | Malware | Newer variants of [BACKSPACE](https://attack.mitre.org/software/S0031) will encode C2 communications with a custom system.(Citation: FireEye APT30) |
| S9007 | HTTPTroy | Malware | [HTTPTroy](https://attack.mitre.org/software/S9007) has obfuscated HTTP POST request communications utilizing XOR with a designated key of 0x56, follo... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use a custom Base64 alphabet for encoding C2.(Citation: Mandiant ROADSWEEP August 2022) |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) encodes commands from the control server using a range of characters and gzip.(Citation: McAfee Ba... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has encoded data as readable Latin characters.(Citation: Securelist ShadowPad Aug 2017) |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) can use a custom binary scheme to encode messages with specific commands and parameters to be... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) can encode C2 communications with a base64 algorithm using a custom alphabet.(Citation: Kaspersky Tod... |
| S1046 | PowGoop | Malware | [PowGoop](https://attack.mitre.org/software/S1046) can use a modified Base64 encoding mechanism to send data to and from the C2 server.(Citation: CYBE... |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) has used a complex XOR operation to obfuscate C2 communications.(Citation: SekoiaBourhis_DiceLoader_F... |
References
- Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
- Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
Frequently Asked Questions
What is T1132.002 (Non-Standard Encoding)?
T1132.002 is a MITRE ATT&CK technique named 'Non-Standard Encoding'. It belongs to the Command and Control tactic(s). Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded us...
How can T1132.002 be detected?
Detection of T1132.002 (Non-Standard Encoding) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1132.002?
There are 1 documented mitigations for T1132.002. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1132.002?
Known threat groups using T1132.002 include: Kimsuky.