T1132.001: T1132.001

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 15/03/2020 00:36 · Modified 27/03/2026 01:07

Essential information

MITRE technique ID: T1132.001
Confidence: 100/100
Revoked: No
Published: 15/03/2020 00:36
Modified: 27/03/2026 01:07
Author / Source: The MITRE Corporation

Aliases

Standard Encoding

Platforms

windows macos linux ESXi

Description

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Wikipedia Binary-to-text Encoding
Wikipedia Character Encoding
University of Birmingham C2
mitre-attack (T1132.001)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (62)

STD Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1020 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OP-512 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedGolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Punishing Owl uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_CraftyCamel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Boggy Serpens uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1069 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 62

Kazuar uses

Family The MITRE Corporation Confidence 100

[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

First seen 01/01/1970 · Last seen 16/11/5138 ·
GHOSTFORM uses

Family
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
graphsync uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PteroPSDoor uses

Family
Minecraft RAT uses

Family
QUIETCANARY uses

Family The MITRE Corporation Confidence 100

[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Eternidade Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TameCat uses

Family
Comebacker uses

Family
CloudAtlas uses

Family

← Previous

Page / 7

1–12 of 76

Skill Marketplace and the Emerging AI Supply Chain … related

AlienVault Confidence 100 19 MITREs 3 Malwares 11 IOCs 5 Observables
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Popa: From Sourcing to Distribution related

AlienVault Confidence 100 8 MITREs 5 Malwares 200 IOCs 200 Observables
Operation Endgame vs. SocGholish Fake Updates related

AlienVault Confidence 100 18 MITREs 17 Malwares 12 IOCs 12 Observables 1 APT
140+ npm Packages Compromised in Coordinated Supply Chain … related

AlienVault Confidence 100 20 MITREs 1 Malware 9 IOCs 9 Observables
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
PHISH ALERT: Press Play for Compromise — Voicemail … related

20 MITREs 19 Observables
From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
Browser Spy-Ons: Threat Actor's Extension Hijack Your AI … related

20 MITREs 3 Observables
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps … related

19 MITREs 5 Malwares 1 Observable 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (49)

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2025-5777 KEV targets

9.3 Critical

Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …

Attack vector: Network
Published: 10/07/2025
Modified: 21/12/2025

Received

CVE-2017-3506 KEV targets

7.4 High

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …

Attack vector: NETWORK
Complexity: HIGH
Published: 24/04/2017
Modified: 22/04/2026

CWE-78

CVE-2024-4058 targets

8.8 High

Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted …

Attack vector: NETWORK
Published: 01/05/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2025-9501 targets

9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector: NETWORK
Published: 17/11/2025
Modified: 08/05/2026

Awaiting Analysis

CVE-2026-1357 targets

9.8 Critical

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …

Attack vector: Network
Published: 11/02/2026
Modified: 08/05/2026

Awaiting Analysis

CVE-2025-30406 KEV targets

9.0 Critical

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Attack vector: Network
Published: 08/04/2025
Modified: 21/12/2025

Received

← Previous

Page / 5

25–36 of 49

T1132 subtechnique-of

Data Encoding MITRE

Tool (2)

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…

Course Of Action (1)

Network Intrusion Prevention mitigates

Contact About Legal notice Privacy policy Terms of use