# T1132 Data Encoding

-----------------------------------------------------------------------

## Technique Description

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1132)

  * [Wikipedia Binary-To-Text Encoding](https://en.wikipedia.org/wiki/Binary-to-text_encoding), Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.

  * [Wikipedia Character Encoding](https://en.wikipedia.org/wiki/Character_encoding), Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 08 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- The adversary will attempt to encode their data for command and control to allow it to blend in with normal traffic using HTTP(S) and avoid detection. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 |  | 1, 2|

#### APT28	
- C2 traffic from ADVSTORESHELL (APT28 backdoor) is encrypted, then encoded with Base64 encoding.
- CORESHELL (APT28 downloader) C2 messages are Base64-encoded.
- Fysbis (APT28 Linux backdoor) can use Base64 to encode its C2 traffic.
- A JHUHUGIT (APT28) variant encodes C2 POST data base64.
- Zabrocy (APT28 Trojan) sed URL/Percent Encoding on data exfiltrated via HTTP POST requests.

#### APT29	
- SeaDuke (APT29) C2 traffic is base64-encoded.
- WellMess (malware used by APT29) has used Base64 encoding to uniquely identify communication to and from the C2.

#### Turla	
- Kazuar (Turla) encodes communications to the C2 server in Base64.

## Detection Blindspots

- Encrypted traffic may make detecting this TTP difficult. Using connection metadata and host logs will be needed to validate suspicious traffic.
- Incorrect sensor placement may not allow this TTP to be identified.

## Analytical References

  * [Fancy Bear](https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf)
  * [From Sunburst to Teardrop](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
  * [Sunburst Backdoor](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)
  * [Atomic Red Team T1132.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md)
  * [Sofacy APT Hits High Profile Targets with Updated Toolset (securelist)](https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/)
  * [Accenture SnakeMackerel Delivers Zekapab Malware (accenture)](https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50)
  * [Kazuar Multiplatform Espionage Backdoor API Access (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/)
  * [Technical Analysis Seaduke (palotaltonetworks)](https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/)
  * [Analysis Report AR20-198b (cisa)](https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b)
  * [Cleaning up after Wellmess (pwc.co.uk)](https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used

#### Analytic 1

  * **Information:** Check PowerShell script block for evidence of data being encoded

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Search for parameters that could be related to data encoding

  * **Query:** ```event.code 4104```

#### Analytic 2

  * **Information:** Search for executables that can perform data encoding

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : gzip.exe or 7z.exe or winrar.exe```

#### Analytic 3

  * **Information:** Search for processes that should not be using the network

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 3 and process.name : *```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- Processes utilizing the network that do not normally have network communication or have never been seen before on current working network are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used
- Eliminate know traffic to assist in narrowing the results returned. Entropy may assist in this aspect.
- Encrypted traffic on non standard ports should be reviewed (ex. https on port 80)
- Use a combination of DNS request, response, and follow on connections over HTTP(S) to have better understanding of the full connection.
- MCA will obfuscate their network traffic to blend in with "normal" network traffic.
<p align="center">
<img src="../../Images/T1132_Data_Encoding.png">
</p>

#### Analytic 1 (APT 29)

  * **Information:** Identify network connection that may be obfuscating or encoding data payloads to succesfully communicate with adversary command and control servers.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Use a combination of succesful PUT, POST, and GET connections to identify possible encoded traffic leaving or entering the network. If possible there maybe a opportunity to associate compressed files with this connections. (gzip, 7zip, etc.). Eliminate host.http that have been validated to minimize network noise.

  * **Query Arkime:** ```http.statuscode == 200 && entropy.http == [6, 7, 8] && http.method == [POST, PUT, GET] && ip.dst != [10/8,172.16/12,192.168/16] && http.bodymagic == *zip```

  * **Query Kibana:** ```http.statuscode: 200 and entropy.http: (6 or 7 or 8) and http.method: (POST or PUT or GET) and not destination.ip: (10.0.0.0/8 or 172.16.0.0.0/12 or 192.168.0.0/16) and http.bodymagic: *zip```

#### Analytic 2

  * **Information:** Comments

  * **Source:** PCAP

  * **Tool:** Kibana

  * **Notes:** Encrypted traffic will make detection difficult

  * **Query:** ```Input your query here```