T1132 - Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Shield Active Defense

Protocol Decoder

Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.

Protocol decoders are designed to read network traffic and contextualize all activity between the operator and the implant. These tools are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret.

Opportunity

There is an opportunity to reveal data that the adversary has tried to protect from defenders

Use Case

Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary’s command and control traffic as well as their exfiltration activity.

Procedures

Create and apply a decoder which allows you to view encrypted and/or encoded network traffic in a human-readable format.