1. Home
  2. ATT&CK Techniques
  3. T1132 Data Encoding

T1132 Data Encoding Mappings

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

View in MITRE ATT&CK®

VERIS Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1132 Data Encoding
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1132 Data Encoding
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1132 Data Encoding
Showing 1 to 3 of 3 rows

GCP Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
google_secops Google Security Operations technique_scores T1132 Data Encoding
Comments
Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
Showing 1 to 1 of 1 rows

ATT&CK Subtechniques

Loading, please wait
Technique ID
Technique Name
Number of Mappings
T1132.001 Standard Encoding 4
T1132.002 Non-Standard Encoding 3
Showing 1 to 2 of 2 rows