Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132.001 | Standard Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1132.001 | Standard Encoding |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1132.001 | Standard Encoding |
Comments
This diagnostic statement protects against Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1132.001 | Standard Encoding | |
| CM-06 | Configuration Settings | mitigates | T1132.001 | Standard Encoding | |
| SI-03 | Malicious Code Protection | mitigates | T1132.001 | Standard Encoding | |
| CM-02 | Baseline Configuration | mitigates | T1132.001 | Standard Encoding | |
| SI-04 | System Monitoring | mitigates | T1132.001 | Standard Encoding | |
| AC-04 | Information Flow Enforcement | mitigates | T1132.001 | Standard Encoding | |
| SC-07 | Boundary Protection | mitigates | T1132.001 | Standard Encoding |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1132.001 | Standard Encoding |
Comments
Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques for commands &/or C&C traffic.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral
References
|