Encode techniques
The encode/ package provides transport-safe byte transformations:
Base64 (standard + URL-safe), UTF-16LE, ROT13, and the
PowerShell -EncodedCommand format. Encoding is never confidentiality —
it survives channels that mangle arbitrary bytes (HTTP headers, JSON
strings, PowerShell command lines, stdin pipes).
TL;DR
Encrypt first, then encode. Decode last, then decrypt.
Where to start (novice path):
Single-page area. Read
encodeend-to-end (~5 min) and consult the Quick decision tree below to pick the right encoder per channel. Pair withcryptofor the encrypt-then-encode pattern shown in the mermaid above.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
encode | encode.md | very-quiet | Base64 (std + URL), UTF-16LE, ROT13, PowerShell -EncodedCommand |
Quick decision tree
| You want to… | Use |
|---|---|
| …embed a binary blob in Go source / JSON / HTTP header | encode.Base64Encode |
| …pass a payload through a URL or filename | encode.Base64URLEncode |
| …feed a Windows API that takes UTF-16 LPWSTR | encode.ToUTF16LE |
…run a PowerShell script via -EncodedCommand | encode.PowerShell |
| …break a static string signature on Win32 API names | encode.ROT13 (novelty) |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1027 | Obfuscated Files or Information | encode (PowerShell, Base64) | D3-SEA |
| T1027.013 | Encrypted/Encoded File | encode (Base64 wrapper for ciphertext) | D3-FCR |
| T1140 | Deobfuscate/Decode Files or Information | encode.Base64Decode, encode.Base64URLDecode | D3-FCR |
See also
crypto— confidentiality layer (encrypt before encoding).- Operator path: stagers and encoders
- Detection eng path:
-EncodedCommandhunting