T1132.001: T1132.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 15/03/2020 00:36 · Modified 27/03/2026 01:07

Essential information

MITRE technique ID: T1132.001
Confidence: 100/100
Revoked: No
Published: 15/03/2020 00:36
Modified: 27/03/2026 01:07
Author / Source: The MITRE Corporation

Aliases

Standard Encoding

Platforms

windows macos linux ESXi

Description

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Wikipedia Binary-to-text Encoding
Wikipedia Character Encoding
University of Birmingham C2
mitre-attack (T1132.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (62)

STD Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1020 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OP-512 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Punishing Owl uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_CraftyCamel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Boggy Serpens uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1069 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 62

Kazuar uses

Family The MITRE Corporation Confidence 100

[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

First seen 01/01/1970 · Last seen 16/11/5138 ·
GHOSTFORM uses

Family
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
graphsync uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PteroPSDoor uses

Family
Minecraft RAT uses

Family
QUIETCANARY uses

Family The MITRE Corporation Confidence 100

[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Meterpreter uses

Family
Eternidade Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TameCat uses

Family
Comebacker uses

Family
CloudAtlas uses

Family

← Previous

Page / 7

1–12 of 76

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Popa: From Sourcing to Distribution related

AlienVault Confidence 100 8 MITREs 5 Malwares 200 IOCs 200 Observables
Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
140+ npm Packages Compromised in Coordinated Supply Chain … related

AlienVault Confidence 100 20 MITREs 1 Malware 9 IOCs 9 Observables
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
Browser Spy-Ons: Threat Actor's Extension Hijack Your AI … related

20 MITREs 3 Observables
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps … related

19 MITREs 5 Malwares 1 Observable 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (49)

CVE-2024-23109 targets

10.0 Critical

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized …

Attack vector: Network
Published: 05/02/2024
Modified: 14/01/2026

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2025-48703 KEV targets

9.0 Critical

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …

Attack vector: Network
Published: 04/11/2025
Modified: 08/05/2026

Received

CVE-2024-6327 targets

9.9 Critical

In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization …

Attack vector: NETWORK
Published: 24/07/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-40711 KEV targets

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-43461 KEV targets

8.8 High

Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web …

Attack vector: Network
Published: 16/09/2024
Modified: 21/12/2025

Analyzed

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

← Previous

Page / 5

13–24 of 49

T1132 subtechnique-of

Data Encoding MITRE

Tool (2)

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…

Course Of Action (1)

Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use