T1132: T1132

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:31 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1132
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:31
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Data Encoding

Platforms

windows macos linux ESXi

Description

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Wikipedia Binary-to-text Encoding
Wikipedia Character Encoding
mitre-attack (T1132)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (61)

Storm-0249 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA585 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NET_PA1N Reborn uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Punishing Owl uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GreenSpot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Batavia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NewsPenguin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gleaming Pisces uses UNC1720UNC4736

The MITRE Corporation Confidence 100

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_SmudgedSerpent uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, Lyceum, SideWinder uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 61

Dozer uses

Family
InvisibleFerret uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bumblebee uses
Heyoka uses
Hiloti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OMServerService.vbs uses

Family
ANDROMEDA - S1074 uses

Family
PlugX - S0013 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TrickBot - S0266 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FatalRAT uses

Family
UyghurEditPP backdoor uses

Family

← Previous

Page / 7

25–36 of 79

Payouts King Ransomware Initial Access Broker Deploys New … related

AlienVault Confidence 100 21 MITREs 1 Malware 2 IOCs 1 APT
Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
The Devil, Eight Million Emails, and a Whole … related

AlienVault Confidence 100 16 MITREs 14 IOCs 14 Observables
Travel Phishing and Cyber Attacks are Surging in … related

16 MITREs
A First Look at a New Post-Exploitation Red … related

20 MITREs 1 Malware 1 Observable
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
RemotePE: The Lazarus RAT that lives in memory related

20 MITREs 6 Malwares 10 Observables 1 APT
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (76)

CVE-2017-9841 KEV targets

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2015-0311 KEV targets

9.8 Critical

Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute code.

Attack vector: NETWORK
Complexity: LOW
Published: 23/01/2015
Modified: 27/04/2026

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2022-24847 targets

7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector: NETWORK
Published: 14/04/2022
Modified: 21/12/2025

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-46747 KEV targets

9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector: Network
Published: 31/10/2023
Modified: 21/12/2025

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2025-4632 targets

9.8 Critical

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write …

Published: 13/05/2025
Modified: 13/05/2025

Received

CVE-2013-3307 targets

8.3 High

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …

Attack vector: NETWORK
Published: 11/07/2025
Modified: 21/12/2025

← Previous

Page / 7

61–72 of 76

Mythic uses

The MITRE Corporation Confidence 100

[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed…

Contact About Legal notice Privacy policy Terms of use

T1132: T1132

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (61)

Malware (79)

Reports (50)

Vulnerabilities (CVE) (76)

Tool (1)