Data Encoding: Standard Encoding, Sub-technique T1132.001 - Enterprise (original) (raw)

ADVSTORESHELL

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.[3]

APT19

An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4]

APT33

APT33 has used base64 to encode command and control traffic.[5]

Astaroth

Astaroth encodes data using Base64 before sending it to the C2 server. [6]

AutoIt backdoor

AutoIt backdoor has sent a C2 response that was base64-encoded.[7]

BabyShark

BabyShark has encoded data using certutil before exfiltration.[8]

Backdoor.Oldrea

Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[9]

BADNEWS

BADNEWS encodes C2 traffic with base64.[7][10][11]

BRONZE BUTLER

Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.[12]

BS2005

BS2005 uses Base64 encoding for communication in the message body of an HTTP request.[13]

Carbanak

Carbanak encodes the message body of HTTP traffic with Base64.[14][15]

ChChes

ChChes can encode C2 data with a custom technique that utilizes Base64.[16][17]

Cobian RAT

Cobian RAT obfuscates communications with the C2 server using Base64 encoding.[18]

CORESHELL

CORESHELL C2 messages are Base64-encoded.[19]

Daserf

Daserf uses custom base64 encoding to obfuscate HTTP traffic.[12]

Denis

Denis encodes the data sent to the server in Base64.[20]

Dipsind

Dipsind encodes C2 traffic with base64.[21]

down_new

down_new has the ability to base64 encode C2 communications.[22]

Ebury

Ebury has encoded C2 traffic in hexadecimal format.[23]

Elise

Elise exfiltrates data using cookie values that are Base64-encoded.[24]

Felismus

Some Felismus samples use a custom method for C2 traffic that utilizes Base64.[25]

Fysbis

Fysbis can use Base64 to encode its C2 traffic.[26]

gh0st RAT

gh0st RAT has used Zlib to compress C2 communications data before encrypting it.[27]

Helminth

For C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.[28]

HOPLIGHT

HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [29]

Ixeshe

Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.[30][31]

JHUHUGIT

A JHUHUGIT variant encodes C2 POST data base64.[32]

Kazuar

Kazuar encodes communications to the C2 server in Base64.[33]

Kessel

Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[34]

KONNI

KONNI has used a custom base64 key to encode stolen data before exfiltration.[35]

Lazarus Group

A Lazarus Group malware sample encodes data with base64.[36]

MechaFlounder

MechaFlounder has the ability to use base16 encoded strings in C2.[37]

Mis-Type

Mis-Type uses Base64 encoding for C2 traffic.[38]

Misdat

Misdat network traffic is Base64-encoded plaintext.[38]

More_eggs

More_eggs has used basE91 encoding, along with encryption, for C2 communication.[39]

MuddyWater

MuddyWater has base64 encoded C2 communications.[40]

njRAT

njRAT uses Base64 encoding for C2 traffic.[41]

Octopus

Octopus encodes C2 communications in Base64.[42]

Okrum

Okrum has used base64 to encode C2 communication.[43]

OopsIE

OopsIE encodes data in hexadecimal format over the C2 channel.[44]

Patchwork

Patchwork used Base64 to encode C2 traffic.[45]

Pisloader

Responses from the Pisloader C2 server are base32-encoded.[46]

PowerShower

PowerShower has the ability to encode C2 communications with base64 encoding.[47][48]

POWERSTATS

POWERSTATS encoded C2 traffic with base64.[49]

POWRUNER

POWRUNER can use base64 encoded C2 communications.[50]

Prikormka

Prikormka encodes C2 traffic with Base64.[51]

QUADAGENT

QUADAGENT encodes C2 communications with base64.[52]

RDAT

RDAT can communicate with the C2 via base32-encoded subdomains.[53]

Revenge RAT

Revenge RAT uses Base64 to encode information sent to the C2 server.[54]

RogueRobin

RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[55]

S-Type

S-Type uses Base64 encoding for C2 traffic.[38]

Sandworm Team

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[56]

SeaDuke

SeaDuke C2 traffic is base64-encoded.[57]

SpeakUp

SpeakUp encodes C&C communication using Base64. [58]

Sunburst

Sunburst used Base64 encoding in its C2 traffic.[59]

TrickBot

TrickBot can Base64-encode C2 commands.[60]

Tropic Trooper

Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.[61]

Valak

Valak has returned C2 data as encoded ASCII.[62]

WellMess

WellMess has used Base64 encoding to uniquely identify communication to and from the C2.[63]

Zebrocy

Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.[64]