title: Data Encoding (T1132)
id: df00tech-t1132
status: experimental
description: "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. Real-world examples include BADNEWS converting encrypted C2 data to hexadecimal then Base64 before transmission, Ursnif embedding Base64-encoded data in HTTP URLs, H1N1 using an altered Base64 scheme for C2 traffic, and Linux Rabbit sending encoded payloads as URL parameters."
references:
  - https://attack.mitre.org/techniques/T1132/
  - https://df00tech.com/detections/T1132
author: df00tech
date: 2026/04/19
tags:
  - attack.t1132
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software deployment tools (SCCM, Intune, Ansible) that use certutil -decode or -urlcache to deliver installer payloads from internal distribution servers"
  - "Data science and DevOps pipelines (CI/CD agents, Terraform, configuration management) that Base64-encode credentials or configuration blobs before transmitting to APIs"
  - "Application monitoring agents (Datadog, Splunk UF, New Relic) that encode telemetry payloads before posting to SaaS collection endpoints"
  - "Web developers testing REST APIs with curl, passing Base64-encoded Bearer tokens or JSON payloads in request bodies"
  - Security tooling including vulnerability scanners and SIEM forwarders that encode log data or signatures during transmission
level: medium