Esc
Data Encoding - T1132
(ATT&CK® Technique)
Definition
Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1132["Data Encoding"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1132 OffensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
click T1132 href "/offensive-technique/attack/T1132/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1132["Data Encoding"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1132["Data Encoding"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1132["Data Encoding"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1132["Data Encoding"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1132["Data Encoding"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1132["Data Encoding"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1132["Data Encoding"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1132["Data Encoding"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1132["Data Encoding"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1132["Data Encoding"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";