TIARAS - T1132: Data Encoding

MITRE ATT&CK Technique

Command and Control T1132

Description

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Supported Platforms

Linux macOS Windows ESXi

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:31:43.540Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may encode data to make the content of command '
                'and control traffic more difficult to detect. Command and '
                'control (C2) information can be encoded using a standard data '
                'encoding system. Use of data encoding may adhere to existing '
                'protocol specifications and includes use of ASCII, Unicode, '
                'Base64, MIME, or other binary-to-text and character encoding '
                'systems.(Citation: Wikipedia Binary-to-text Encoding) '
                '(Citation: Wikipedia Character Encoding) Some data encoding '
                'systems may also result in data compression, such as gzip.',
 'external_references': [{'external_id': 'T1132',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1132'},
                         {'description': 'Gardiner, J.,  Cova, M., Nagaraja, '
                                         'S. (2014, February). Command & '
                                         'Control Understanding, Denying and '
                                         'Detecting. Retrieved April 20, 2016.',
                          'source_name': 'University of Birmingham C2',
                          'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'},
                         {'description': 'Wikipedia. (2016, December 26). '
                                         'Binary-to-text encoding. Retrieved '
                                         'March 1, 2017.',
                          'source_name': 'Wikipedia Binary-to-text Encoding',
                          'url': 'https://en.wikipedia.org/wiki/Binary-to-text_encoding'},
                         {'description': 'Wikipedia. (2017, February 19). '
                                         'Character Encoding. Retrieved March '
                                         '1, 2017.',
                          'source_name': 'Wikipedia Character Encoding',
                          'url': 'https://en.wikipedia.org/wiki/Character_encoding'}],
 'id': 'attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'command-and-control'}],
 'modified': '2025-10-24T17:49:23.915Z',
 'name': 'Data Encoding',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Itzik Kotler, SafeBreach'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
 'x_mitre_version': '1.3'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (3)

Velvet Ant
High

APT19
High

APT33
High

Back to TTPs

Dashboard About