Description
Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
Platforms
Sub-Techniques (2)
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before int... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S9035 | LAMEHUG | Malware | [LAMEHUG](https://attack.mitre.org/software/S9035) can encode queries sent to LLMs.(Citation: Splunk LAMEHUG SEP 2025) |
| S0128 | BADNEWS | Malware | After encrypting C2 data, [BADNEWS](https://attack.mitre.org/software/S0128) converts it into a hexadecimal representation and then encodes it into ba... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) provides various transform functions to encode and/or randomize C2 data.(Citation: Mythc Documentati... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used encoded data in HTTP URLs for C2.(Citation: ProofPoint Ursnif Aug 2016) |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can randomly generate and Base64 encode parameters in phishing links to defeat static detection.(... |
| S0362 | Linux Rabbit | Malware | [Linux Rabbit](https://attack.mitre.org/software/S0362) sends the payload from the C2 server as an encoded URL parameter. (Citation: Anomali Linux Rab... |
| S0132 | H1N1 | Malware | [H1N1](https://attack.mitre.org/software/S0132) obfuscates C2 traffic with an altered version of base64.(Citation: Cisco H1N1 Part 2) |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
- Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
Frequently Asked Questions
What is T1132 (Data Encoding)?
T1132 is a MITRE ATT&CK technique named 'Data Encoding'. It belongs to the Command and Control tactic(s). Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use...
How can T1132 be detected?
Detection of T1132 (Data Encoding) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1132?
There are 1 documented mitigations for T1132. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1132?
Known threat groups using T1132 include: Velvet Ant.