T1132.001: T1132.001

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 15/03/2020 00:36 · Modified 27/03/2026 01:07

Essential information

MITRE technique ID: T1132.001
Confidence: 100/100
Revoked: No
Published: 15/03/2020 00:36
Modified: 27/03/2026 01:07
Author / Source: The MITRE Corporation

Aliases

Standard Encoding

Platforms

windows macos linux ESXi

Description

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Wikipedia Binary-to-text Encoding
Wikipedia Character Encoding
University of Birmingham C2
mitre-attack (T1132.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (62)

STD Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1020 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OP-512 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Punishing Owl uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_CraftyCamel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Boggy Serpens uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1069 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 62

Kazuar uses

Family The MITRE Corporation Confidence 100

[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

First seen 01/01/1970 · Last seen 16/11/5138 ·
GHOSTFORM uses

Family
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
graphsync uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PteroPSDoor uses

Family
Minecraft RAT uses

Family
QUIETCANARY uses

Family The MITRE Corporation Confidence 100

[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Eternidade Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TameCat uses

Family
Comebacker uses

Family
CloudAtlas uses

Family

← Previous

Page / 7

1–12 of 76

FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps … related

19 MITREs 5 Malwares 1 Observable 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
A miner with a side of RAT: the … related

AlienVault Confidence 100 21 MITREs 2 Malwares 7 IOCs 7 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Fast and Furious - Nimbus Manticore Operations During … related

20 MITREs 2 Malwares 27 Observables 1 APT
Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling … related

AlienVault Confidence 100 19 MITREs 3 Malwares 28 IOCs 28 Observables
Mini Shai Hulud: Compromised @antv npm packages enable … related

AlienVault Confidence 100 20 MITREs 5 IOCs 5 Observables
Disclosing new PebbleDash-based tools related

AlienVault Confidence 100 20 MITREs 16 Malwares 25 IOCs 25 Observables 1 APT
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
OceanLotus suspected of distributing ZiChatBot malware via wheel … related

AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT
Harvester: APT Group Expands Toolset With New GoGra … related

AlienVault Confidence 100 15 MITREs 2 Malwares 5 IOCs 5 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (49)

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2021-27065 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-45519 KEV targets

10.0 Critical

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before …

Attack vector: Network
Published: 03/10/2024
Modified: 21/12/2025

Analyzed

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2024-23108 targets

10.0 Critical

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized …

Attack vector: Network
Published: 05/02/2024
Modified: 14/01/2026

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2026-20127 KEV targets

10.0 Critical

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …

Attack vector: NETWORK
Complexity: LOW
Published: 25/02/2026
Modified: 18/06/2026

CWE-287 Analyzed

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2025-25256 targets

9.8 Critical

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

Received

← Previous

Page / 5

37–48 of 49

T1132 subtechnique-of

Data Encoding MITRE

Tool (2)

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…

Course Of Action (1)

Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use