ID | Name |
---|---|
T1132.001 | Standard Encoding |
T1132.002 | Non-Standard Encoding |
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.[1] [2] Some data encoding systems may also result in data compression, such as gzip.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.[3] |
G0073 | APT19 |
An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4] |
G0064 | APT33 |
APT33 has used base64 to encode command and control traffic.[5] |
S0373 | Astaroth |
Astaroth encodes data using Base64 before sending it to the C2 server. [6] |
S0129 | AutoIt backdoor |
AutoIt backdoor has sent a C2 response that was base64-encoded.[7] |
S0414 | BabyShark |
BabyShark has encoded data using certutil before exfiltration.[8] |
S0093 | Backdoor.Oldrea |
Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[9] |
S0128 | BADNEWS | |
S0268 | Bisonal | |
S0520 | BLINDINGCAN |
BLINDINGCAN has encoded its C2 traffic with Base64.[13] |
G0060 | BRONZE BUTLER |
Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.[14] |
S0014 | BS2005 |
BS2005 uses Base64 encoding for communication in the message body of an HTTP request.[15] |
S0030 | Carbanak |
Carbanak encodes the message body of HTTP traffic with Base64.[16][17] |
S0631 | Chaes | |
S0144 | ChChes |
ChChes can encode C2 data with a custom technique that utilizes Base64.[19][20] |
S0154 | Cobalt Strike |
Cobalt Strike can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic.[21] |
S0338 | Cobian RAT |
Cobian RAT obfuscates communications with the C2 server using Base64 encoding.[22] |
S0137 | CORESHELL | |
S0187 | Daserf |
Daserf uses custom base64 encoding to obfuscate HTTP traffic.[14] |
S0354 | Denis | |
S0200 | Dipsind | |
S0472 | down_new |
down_new has the ability to base64 encode C2 communications.[26] |
S0377 | Ebury | |
S0081 | Elise |
Elise exfiltrates data using cookie values that are Base64-encoded.[28] |
S0171 | Felismus |
Some Felismus samples use a custom method for C2 traffic that utilizes Base64.[29] |
S0410 | Fysbis | |
S0032 | gh0st RAT |
gh0st RAT has used Zlib to compress C2 communications data before encrypting it.[31] |
S0632 | GrimAgent | |
G0125 | HAFNIUM | |
S0170 | Helminth |
For C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.[34] |
S0376 | HOPLIGHT |
HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [35] |
S0015 | Ixeshe |
Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.[36][37] |
S0044 | JHUHUGIT | |
S0265 | Kazuar |
Kazuar encodes communications to the C2 server in Base64.[39] |
S0487 | Kessel |
Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[40] |
S0356 | KONNI |
KONNI has used a custom base64 key to encode stolen data before exfiltration.[41] |
G0032 | Lazarus Group |
A Lazarus Group malware sample encodes data with base64.[42] |
S0409 | Machete | |
S0459 | MechaFlounder |
MechaFlounder has the ability to use base16 encoded strings in C2.[44] |
S0084 | Mis-Type | |
S0083 | Misdat | |
S0284 | More_eggs |
More_eggs has used basE91 encoding, along with encryption, for C2 communication.[46] |
G0069 | MuddyWater |
MuddyWater has used tools to encode C2 communications including Base64 encoding.[47][48] |
S0385 | njRAT | |
S0340 | Octopus | |
S0439 | Okrum | |
S0264 | OopsIE |
OopsIE encodes data in hexadecimal format over the C2 channel.[52] |
G0040 | Patchwork | |
S0124 | Pisloader |
Responses from the Pisloader C2 server are base32-encoded.[54] |
S0441 | PowerShower |
PowerShower has the ability to encode C2 communications with base64 encoding.[55][56] |
S0223 | POWERSTATS |
POWERSTATS encoded C2 traffic with base64.[57] |
S0184 | POWRUNER | |
S0113 | Prikormka | |
S0650 | QakBot |
QakBot can Base64 encode system information sent to C2.[60][61] |
S0269 | QUADAGENT | |
S0458 | Ramsay | |
S0495 | RDAT |
RDAT can communicate with the C2 via base32-encoded subdomains.[64] |
S0379 | Revenge RAT |
Revenge RAT uses Base64 to encode information sent to the C2 server.[65] |
S0270 | RogueRobin |
RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[66] |
S0085 | S-Type | |
G0034 | Sandworm Team |
Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[67] |
S0053 | SeaDuke | |
S0610 | SideTwist | |
S0633 | Sliver |
Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[70] |
S0649 | SMOKEDHAM | |
S0543 | Spark |
Spark has encoded communications with the C2 server with base64.[72] |
S0374 | SpeakUp | |
S0603 | Stuxnet |
Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.[74] |
S0559 | SUNBURST | |
G0127 | TA551 |
TA551 has used encoded ASCII text for initial C2 communications.[76] |
S0266 | TrickBot | |
G0081 | Tropic Trooper |
Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.[78] |
S0476 | Valak | |
S0514 | WellMess |
WellMess has used Base64 encoding to uniquely identify communication to and from the C2.[79] |
S0653 | xCaon | |
S0251 | Zebrocy |
Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.[81] |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
ID | Data Source | Data Component |
---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[82]