# T1132.001 Standard Encoding

-----------------------------------------------------------------------

## Technique Description

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

## Technique Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used encoded ASCII text for initial C2 communications.(Citation: Unit 42 Valak July 2020)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro Tropic Trooper May 2020)| 
| APT19 | An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant used Base64 to encode communications to the C2 server.(Citation: Unit 42 C0d0so0 Jan 2016)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail)| 
| BRONZE BUTLER | Several [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) tools encode data with base64 when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) used Base64 to encode C2 traffic.(Citation: Cymmetria Patchwork)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016)	| 
| Lazarus Group | A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1132/001)

  * [Wikipedia Binary-To-Text Encoding](https://en.wikipedia.org/wiki/Binary-to-text_encoding), Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.

  * [Wikipedia Character Encoding](https://en.wikipedia.org/wiki/Character_encoding), Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 08 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Mr. Servando Quinones CTR

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | | |
| APT29 | | |
| Turla | | |

#### APT29
- APT29 will attempt to encode their data for command and control to allow it to blend in with normal traffic using HTTP(S) and avoid detection. 

## Detection Blindspots

- Incorrect sensor placement may not allow this TTP to be identified.
- Encrypted traffic may make analysis of network session payload difficult, additional connection context should be analyzed.

## Analytical References

- https://attack.mitre.org/groups/G0016/
- https://attack.mitre.org/software/S0559/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- Processes utilizing the network that do not normally have network communication or have never been seen before on current working network are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used
- Eliminate know traffic to assist in narrowing the results returned. Entropy may assist in this aspect.
- Encrypted traffic on non standard ports should be reviewed (ex. https on port 80)
- Use a combination of DNS request, response, and follow on connections over HTTP(S) to have better understanding of the full connection.

#### Analytic 1 (APT 29)

  * **Information:** Encoding

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:**
       - Check the content of the POST of HTTP protocols. Specifically if they look encoded by base64. Modify method as required. (GET, POST, HEAD, etc.)
       - Identify possible encoded data in http body.
       - You may also add the suspected external host and the internal source ip that are communicated when identified.
       - Identify possible DNS request seen across the network with corresponding DNS answers. 
       - It may also be possible to search for payload length as this may assist in identifying suspicious network traffic. Ex: data bytes.src == 10000

  * **Query_1:** ```http.statuscode == 200 (modify as needed) && http.method == POST```
  * **Query_2:** ```entropy.http == [6,7,8]```
  * **Query_3:** ```http.content-type == *encode*```
  * **Query_4:** ```host.http == [] && ip.src == []```
  * **Query_5:** ```protocols == dns && dns.query.type == A```
  * **Query_6:** ```databytes.src == (modify as needed)```

#### Analytic 2 (APT 29)

  * **Information:** JSON Data

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:**
      - Identify possible json data being sent to a destination by filtering for content type with a successful connection and a GET, POST, or PUT method.
      - Modify "http.content-type" to what is seen across the network and “databyte.src” as needed.

  * **Query:** ```http.statuscode == 200 && http.method == [GET, POST, PUT] && http.content-type == [application/octet-stream, application/json] && databytes.src == [ ]```


#### Analytic 3 (APT 29)

  * **Information:** Full Hunt Methodology

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:**
       - Q1: Identify successful connections over HTTP with a POST method.
       
       - Q2: Identify entropy to assist in narrowing traffic that maybe compressed, encoded, or obfuscated.
       - Q3: Filter out traffic that is internal to internal if suspected traffic is going from internal to external
       - Q4: Identify specific content-type related to connections that remain after implementing the above queries. Given the reporting we will focus on the following content types.
       - Q5: If a data byte payload has been identified, you may add the below query to the remaining results. Modify data bytes as needed.
       - Q6: Combined query will appear as below excluding data bytes, add if available:
       - Q7-8: Investigate any destinations that have not been resolved to a domain and are hardcoded ips Export unique URIs w/ counts
            - After suspicious internal hosts and encoded traffic have been identified and confirmed to have contacted possible Command and Control servers with the combined queries above, identify initial DNS request made by the specific host, this may assist in locating other hosts who may have reached out to that external host. You may also add the suspected external host and the internal source IP that are communicating when identified.
       - Q9: DNS queries should be used separately after suspicious activity has been identified.

  * **Query_1:** ```http.statuscode == 200 && http.method == POST```
  * **Query_2:** ```entropy.http == [6,7,8]```
  * **Query_3:** ```Ip.dst != [10/8, 192.168/16, 172.16/12]```
  * **Query_4:** ```http.content-type == [application/octet-stream, application/json, */xml]```
  * **Query_5:** ```databytes.src == [ ]```
  * **Query_6:** ```http.statuscode == 200 && http.method == POST && entropy.http == [6,7,8] && Ip.dst != [10/8, 192.168/16, 172.16/12] && http.content-type == [application/octet-stream, application/json, */xml]```
  * **Query_7:** ```protocols == dns && ip.src == [] && host.dns == [ ]```
  * **Query_8:** ```host.http == [ ] && ip.src == [ ]```
  * **Query_9:** ```protocols == dns && dns.query.type == A```