Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1132 | Data Encoding | |
| CM-06 | Configuration Settings | mitigates | T1132 | Data Encoding | |
| SI-03 | Malicious Code Protection | mitigates | T1132 | Data Encoding | |
| CM-02 | Baseline Configuration | mitigates | T1132 | Data Encoding | |
| SI-04 | System Monitoring | mitigates | T1132 | Data Encoding | |
| AC-04 | Information Flow Enforcement | mitigates | T1132 | Data Encoding | |
| SC-07 | Boundary Protection | mitigates | T1132 | Data Encoding |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1132 | Data Encoding | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1132 | Data Encoding |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1132 | Data Encoding |
Comments
Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques.
This technique was scored as minimal based on low or uncertain detection coverage factor.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1132.001 | Standard Encoding | 8 |
| T1132.002 | Non-Standard Encoding | 8 |