Home
ATT&CK Techniques
T1132 Data Encoding

T1132 Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.AE-02.01	Event analysis and detection	Mitigates	T1132	Data Encoding	Comments This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. References
DE.CM-01.01	Intrusion detection and prevention	Mitigates	T1132	Data Encoding	Comments Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1132	Data Encoding	Comments This diagnostic statement protects against Data Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1132	Data Encoding
CM-06	Configuration Settings	mitigates	T1132	Data Encoding
SI-03	Malicious Code Protection	mitigates	T1132	Data Encoding
CM-02	Baseline Configuration	mitigates	T1132	Data Encoding
SI-04	System Monitoring	mitigates	T1132	Data Encoding
AC-04	Information Flow Enforcement	mitigates	T1132	Data Encoding
SC-07	Boundary Protection	mitigates	T1132	Data Encoding

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Evade Defenses	Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.	related-to	T1132	Data Encoding
action.malware.variety.C2	Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.	related-to	T1132	Data Encoding

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1132	Data Encoding	Comments Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1132.001	Standard Encoding	11
T1132.002	Non-Standard Encoding	11