Which SIEM platforms have a T1001 detection rule?

df00tech provides T1001 (Data Obfuscation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1001 detection?

The T1001 detection is rated high severity with medium confidence.

What are common false positives for T1001?

Common false positives for T1001 include: Legitimate software update clients (Windows Update, Chrome update, application auto-updaters) making regular HTTP check-in connections at predictable intervals — exclude by process name and destination domain allowlist; Cloud synchronization agents (OneDrive, Dropbox, Box, iCloud) establishing frequent HTTPS connections with encoded content in URLs — add to the excluded process list in Vector 2; CDN and authentication platforms (Akamai, Cloudflare, Azure AD) using long Base64 tokens in redirect URLs — extend the exclusion list in Vector 3 with known CDN domains.

T1001

Data Obfuscation

Q: What data sources are required to detect Data Obfuscation (T1001)?

Detecting Data Obfuscation requires the following data sources: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation, Azure DNS Analytics (DnsEvents), Microsoft Defender for Endpoint (DeviceNetworkEvents), Proxy/Firewall CEF logs (CommonSecurityLog).

Command and Control Last updated: April 13, 2026

Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.

What is T1001 Data Obfuscation?

Data Obfuscation (T1001) maps to the Command and Control tactic — the adversary is trying to communicate with compromised systems to control them in MITRE ATT&CK.

This page provides production-ready detection logic for Data Obfuscation, covering the data sources and telemetry it touches: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation, Azure DNS Analytics (DnsEvents), Microsoft Defender for Endpoint (DeviceNetworkEvents), Proxy/Firewall CEF logs (CommonSecurityLog). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1001 Data Obfuscation
Canonical reference: https://attack.mitre.org/techniques/T1001/

Microsoft Sentinel / Defender

kusto

// T1001: Data Obfuscation — Multi-vector C2 obfuscation detection
// Covers three key patterns: high-entropy DNS labels, non-browser HTTP beaconing, and Base64-encoded proxy URIs
//
// VECTOR 1: High-entropy DNS subdomain labels (e.g., RDAT embedding AES ciphertext in subdomains)
let HighEntropyDNS = DnsEvents
| where TimeGenerated > ago(24h)
| where SubType == "LookupQuery"
| where isnotempty(Name)
| extend Labels = split(Name, ".")
| extend SubdomainLabel = tostring(Labels[0])
| where strlen(SubdomainLabel) >= 30
// Match Base64/hex-alphabet strings — typical of encoded C2 payloads
| where SubdomainLabel matches regex @"^[A-Za-z0-9+/=_\-]+$"
// Exclude common GUID/UUID patterns used by CDNs
| where SubdomainLabel !matches regex @"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-"
| project TimeGenerated, Computer, ClientIP, QueryName = Name,
         SubdomainLabel, SubdomainLength = strlen(SubdomainLabel)
| extend DetectionVector = "HighEntropyDNSSubdomain", Severity = "High";
//
// VECTOR 2: Non-browser HTTP/HTTPS beaconing from suspicious processes
// (junk data or obfuscated payloads in regular C2 check-ins)
let SuspectBeaconing = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe", "SearchApp.exe", "OneDrive.exe",
    "Teams.exe", "Outlook.exe", "slack.exe", "msteams.exe",
    "zoom.exe", "dropbox.exe", "svchost.exe", "MsMpEng.exe",
    "SenseCE.exe", "SenseIR.exe", "MsSense.exe"
  )
| summarize
    ConnectionCount = count(),
    UniqueDestIPs = dcount(RemoteIP),
    DestIPs = make_set(RemoteIP, 5),
    DestPorts = make_set(RemotePort),
    EarliestConn = min(Timestamp),
    LatestConn = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessId,
     InitiatingProcessCommandLine, AccountName
| where ConnectionCount >= 10
| extend SpanMinutes = datetime_diff('minute', LatestConn, EarliestConn)
| where SpanMinutes > 0
| extend ConnPerMinute = round(toreal(ConnectionCount) / toreal(SpanMinutes), 2)
// Beaconing range: 0.1–4 connections/min (every 15 seconds to ~10 minutes)
| where ConnPerMinute between (0.1 .. 4.0)
| project TimeGenerated = LatestConn, DeviceName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AccountName,
         ConnectionCount, UniqueDestIPs, DestIPs, ConnPerMinute
| extend DetectionVector = "SuspectHTTPBeaconing", Severity = "Medium";
//
// VECTOR 3: Base64 / high-entropy data embedded in HTTP proxy request URIs
// (characteristic of malware encoding C2 commands in URL path segments)
let EncodedProxyTraffic = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventCategory has_any ("proxy", "web-filtering", "URL")
| where isnotempty(RequestURL)
// 40+ contiguous Base64-alphabet characters in the URL path indicate encoded content
| where RequestURL matches regex @"[A-Za-z0-9+/]{40,}={0,2}"
// Exclude well-known OAuth/CDN endpoints that legitimately embed tokens in URLs
| where RequestURL !has "accounts.google.com"
    and RequestURL !has "login.microsoftonline.com"
    and RequestURL !has ".windowsupdate.com"
    and RequestURL !has "cdn.jsdelivr.net"
    and RequestURL !has "akamaihd.net"
| project TimeGenerated, DeviceName, SourceIP, DestinationHostName,
         RequestURL, RequestMethod, DestinationPort, SourceUserName
| extend DetectionVector = "Base64EncodedProxyURI", Severity = "Medium";
//
// Combine all vectors and surface results
union HighEntropyDNS, SuspectBeaconing, EncodedProxyTraffic
| sort by TimeGenerated desc

Multi-vector detection for T1001 Data Obfuscation using three parallel approaches: (1) DnsEvents analysis for high-entropy subdomain labels (>= 30 chars of Base64/hex-alphabet characters) indicative of encoded C2 payloads embedded in DNS queries as seen in RDAT malware; (2) DeviceNetworkEvents beaconing analysis detecting non-browser processes making 10+ HTTP/HTTPS connections to public IPs at a regular rate (0.1–4/min), a pattern consistent with malware performing regular C2 check-ins with obfuscated or junk-padded payloads; (3) CommonSecurityLog proxy analysis detecting Base64-encoded strings (40+ characters) embedded in HTTP request URI paths. Results are unioned and sorted chronologically. Requires DNS Analytics solution for DnsEvents, MDE for DeviceNetworkEvents, and a CEF-forwarding proxy for CommonSecurityLog.

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Process: Process Creation Azure DNS Analytics (DnsEvents) Microsoft Defender for Endpoint (DeviceNetworkEvents) Proxy/Firewall CEF logs (CommonSecurityLog)

Required Tables

DnsEvents DeviceNetworkEvents CommonSecurityLog

False Positives

Legitimate software update clients (Windows Update, Chrome update, application auto-updaters) making regular HTTP check-in connections at predictable intervals — exclude by process name and destination domain allowlist
Cloud synchronization agents (OneDrive, Dropbox, Box, iCloud) establishing frequent HTTPS connections with encoded content in URLs — add to the excluded process list in Vector 2
CDN and authentication platforms (Akamai, Cloudflare, Azure AD) using long Base64 tokens in redirect URLs — extend the exclusion list in Vector 3 with known CDN domains
Security monitoring and endpoint agents (CrowdStrike, SentinelOne, Qualys) beaconing at regular intervals to management infrastructure — identify agent process names and exclude them
Internal DNS-based service discovery mechanisms or Kubernetes DNS with long service names — review high-entropy DNS alerts against internal DNS server IPs before escalating
Web application firewalls or DLP proxies that re-encode request URLs during forwarding — validate by checking SourceIP against known proxy infrastructure

Splunk

spl

| multisearch
  [search index=network sourcetype="stream:http"
  | eval detection_vector="HTTP_Obfuscation"
  | eval url_path=coalesce(uri_path, uri, "-")
  | eval user_agent_lower=lower(coalesce(http_user_agent, "-"))
  // Flag 1: Non-standard User-Agent strings not matching known browser/runtime patterns
  | eval flag_suspicious_ua=if(
      NOT match(user_agent_lower, "(mozilla|chrome|safari|firefox|edge|curl|python-requests|go-http-client|wget|java|okhttp|axios)"),
      1, 0
    )
  // Flag 2: Base64 or high-entropy encoded blob in URL path (40+ contiguous Base64 chars)
  | eval flag_encoded_url=if(match(url_path, "[A-Za-z0-9+/]{40,}={0,2}"), 1, 0)
  // Flag 3: Encoded data in Cookie header (Okrum pattern — C2 commands hidden in Cookie values)
  | eval flag_encoded_cookie=if(
      match(coalesce(cookie, "-"), "[A-Za-z0-9+/=]{50,}"),
      1, 0
    )
  // Flag 4: Response body size divisible by cipher block size (16 bytes) — AES block alignment
  // Common indicator of encrypted/padded C2 response with predictable structure
  | eval resp_len=tonumber(coalesce(bytes_out, response_body_len, "0"))
  | eval flag_block_aligned=if(resp_len > 0 AND resp_len < 4096 AND (resp_len % 16)==0, 1, 0)
  // Flag 5: HTTP POST directly to an IP address (no domain) — raw C2 without domain fronting
  | eval flag_post_to_ip=if(
      method=="POST" AND match(coalesce(dest_ip, dest, "-"), "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$"),
      1, 0
    )
  | eval suspicion_score=flag_suspicious_ua + flag_encoded_url + flag_encoded_cookie + flag_block_aligned + flag_post_to_ip
  | where suspicion_score > 0
  | table _time, src_ip, dest_ip, site, url_path, method, status,
          http_user_agent, cookie, bytes_out,
          flag_suspicious_ua, flag_encoded_url, flag_encoded_cookie,
          flag_block_aligned, flag_post_to_ip, suspicion_score, detection_vector]

  [search index=network (sourcetype="bro:dns" OR sourcetype="zeek:dns")
  | eval detection_vector="DNS_Obfuscation"
  | eval query_name=coalesce(query, "-")
  | eval labels=split(query_name, ".")
  | eval first_label=mvindex(labels, 0)
  | eval label_len=len(first_label)
  // High-entropy subdomain: 30+ chars of Base64/hex alphabet (RDAT/DNS-tunnel pattern)
  | eval flag_encoded_url=if(label_len >= 30 AND match(first_label, "^[A-Za-z0-9+/=_\\-]+$"), 1, 0)
  | eval flag_suspicious_ua=0
  | eval flag_encoded_cookie=0
  | eval flag_block_aligned=0
  | eval flag_post_to_ip=0
  | eval suspicion_score=flag_encoded_url
  | where suspicion_score > 0
  | table _time, src_ip, query_name, first_label, label_len,
          flag_encoded_url, suspicion_score, detection_vector]

  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval detection_vector="Sysmon_DNS_Obfuscation"
  | eval query_name=coalesce(QueryName, "-")
  | eval labels=split(query_name, ".")
  | eval first_label=mvindex(labels, 0)
  | eval label_len=len(first_label)
  | eval flag_encoded_url=if(label_len >= 30 AND match(first_label, "^[A-Za-z0-9+/=_\\-]+$"), 1, 0)
  | eval flag_suspicious_ua=0
  | eval flag_encoded_cookie=0
  | eval flag_block_aligned=0
  | eval flag_post_to_ip=0
  | eval suspicion_score=flag_encoded_url
  | where suspicion_score > 0
  | table _time, host, Image, User, query_name, first_label, label_len,
          flag_encoded_url, suspicion_score, detection_vector]

| sort - suspicion_score, - _time

Multi-source SPL detection for T1001 Data Obfuscation using multisearch across three data sources: (1) stream:http — analyzes HTTP traffic for five obfuscation indicators: non-standard User-Agent strings, Base64-encoded URL path segments (40+ chars), encoded Cookie header values (Okrum C2 pattern), AES block-aligned response sizes indicating padded/encrypted payloads, and raw HTTP POST to IP addresses. A cumulative suspicion score (1–5) enables priority triage. (2) bro:dns / zeek:dns — detects high-entropy subdomain labels (30+ chars of Base64/hex alphabet) consistent with DNS-tunneled C2 (RDAT pattern). (3) Sysmon Event ID 22 (DNS Query) — catches the same DNS entropy pattern from endpoint telemetry when network Zeek/Bro is unavailable. Results are unioned and sorted by suspicion score descending.

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content (stream:http) Network Traffic: Network Traffic Flow (bro:dns / zeek:dns) Process: Process Creation (Sysmon Event ID 22 DNS queries)

Required Sourcetypes

stream:http bro:dns zeek:dns XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CDN and object storage services (S3, Azure Blob, CloudFront) that embed long object hashes or signed tokens directly in URL paths — add their domains to an exclusion lookup
OAuth2 redirect URIs and SAML assertion URLs carrying base64-encoded tokens — these are expected patterns from identity providers (Google, Azure AD, Okta)
Automated monitoring scripts and health-check agents using custom User-Agent strings — build an allowlist of internal scan IPs to suppress flag_suspicious_ua
DNS-based service mesh frameworks (Consul, Kubernetes CoreDNS) generating long service-discovery hostnames — exclude internal resolver IPs for DNS obfuscation vectors
Enterprise proxy solutions that re-sign or transform URLs during content inspection may produce Base64-looking path segments — validate source IP against known proxy infrastructure before escalating

Elastic Security (EQL)

eql

/* T1001: Data Obfuscation — Multi-vector C2 obfuscation detection
   Vector 1: High-entropy DNS subdomain labels (RDAT / DNS tunnel AES encoding)
   Vector 2: Non-browser process outbound HTTP beaconing
   Vector 3: Base64-encoded blob embedded in HTTP request URI path */
any where
  /* Vector 1: DNS query whose first label is 30+ chars of Base64/hex alphabet */
  (
    event.category == "network" and
    network.protocol == "dns" and
    dns.question.name != null and
    dns.question.name regex "[A-Za-z0-9+/=_-]{30,}\\." and
    not dns.question.name regex "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}"
  ) or
  /* Vector 2: Non-browser / non-system process making outbound web-port connection */
  (
    event.category == "network" and
    event.type in ("start", "connection") and
    destination.port in (80, 443, 8080, 8443) and
    network.direction == "egress" and
    process.name != null and
    not process.name in~ (
      "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
      "opera.exe", "brave.exe", "slack.exe", "teams.exe",
      "outlook.exe", "onedrive.exe", "svchost.exe", "MsMpEng.exe",
      "SearchApp.exe", "zoom.exe", "dropbox.exe", "SenseCE.exe",
      "SenseIR.exe", "MsSense.exe"
    )
  ) or
  /* Vector 3: 40+ contiguous Base64-alphabet chars in HTTP URI path
     Excludes known-clean OAuth and CDN token endpoints */
  (
    event.category == "network" and
    url.path != null and
    url.path regex "[A-Za-z0-9+/]{40,}={0,2}" and
    not url.domain in (
      "accounts.google.com", "login.microsoftonline.com",
      "windowsupdate.com", "cdn.jsdelivr.net", "akamaihd.net"
    )
  )

Detects T1001 Data Obfuscation C2 patterns using Elastic ECS network fields across three vectors: high-entropy DNS subdomain labels matching RDAT AES-in-subdomain and DNS tunneling patterns; non-browser/non-system process outbound HTTP/HTTPS connections; and Base64-encoded blobs embedded in HTTP request URI paths (characteristic of command encoding in URL path segments).

high severity medium confidence

Data Sources

Elastic Agent network telemetry (endpoint.events.network) Packetbeat network capture Zeek/Bro logs via Filebeat (zeek.dns, zeek.http) Auditbeat network socket events

Required Tables

logs-endpoint.events.network-* packetbeat-* logs-zeek.dns-* logs-zeek.http-*

False Positives

CDN providers (Akamai, CloudFlare, Fastly) use long tokenized subdomains for edge routing that can exceed 30 characters and match the Base64/hex alphabet pattern without being malicious
Enterprise monitoring agents (Datadog, New Relic, Dynatrace) beacon at regular intervals from non-browser processes using custom HTTP clients, triggering the beaconing vector
OAuth 2.0 and JWT token flows legitimately embed long Base64-encoded state parameters and signed CDN URLs (AWS S3 pre-signed, Azure Blob SAS tokens) in HTTP request paths

IBM QRadar (AQL)

sql

/* T1001: Data Obfuscation — QRadar AQL multi-vector detection
   Covers: (1) high-entropy DNS subdomain labels, (2) suspicious HTTP User-Agent strings,
   (3) Base64-encoded blobs in HTTP proxy request URIs */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "Query" AS dns_query_name,
  "URL" AS request_url,
  "User Agent" AS user_agent_string,
  CASE
    WHEN REGEXP_MATCH("Query", '^[A-Za-z0-9+/=_-]{30,}\.')
      THEN 'HighEntropyDNSSubdomain'
    WHEN NOT REGEXP_MATCH(LOWER(COALESCE("User Agent", '')), '(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)')
      AND destinationport IN (80, 443, 8080, 8443)
      AND "User Agent" IS NOT NULL
      THEN 'SuspiciousUserAgent'
    WHEN REGEXP_MATCH(COALESCE("URL", ''), '[A-Za-z0-9+/]{40,}={0,2}')
      AND NOT "URL" LIKE '%accounts.google.com%'
      AND NOT "URL" LIKE '%login.microsoftonline.com%'
      AND NOT "URL" LIKE '%windowsupdate.com%'
      AND NOT "URL" LIKE '%cdn.jsdelivr.net%'
      THEN 'Base64EncodedURI'
    ELSE 'MultiVector'
  END AS detection_vector
FROM events
WHERE
  /* Last 24 hours in milliseconds */
  starttime > (DATEFORMAT(NOW(), 'epoch') - 86400000)
  AND
  (
    /* Vector 1: DNS query with high-entropy first label (30+ Base64/hex chars) */
    REGEXP_MATCH("Query", '^[A-Za-z0-9+/=_-]{30,}\.')

    OR

    /* Vector 2: Non-standard User-Agent on web ports — non-browser tooling */
    (
      destinationport IN (80, 443, 8080, 8443)
      AND "User Agent" IS NOT NULL
      AND NOT REGEXP_MATCH(
        LOWER(COALESCE("User Agent", '')),
        '(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)'
      )
    )

    OR

    /* Vector 3: Base64-encoded blob in HTTP URI path from proxy/web-filtering sources */
    (
      "URL" IS NOT NULL
      AND REGEXP_MATCH("URL", '[A-Za-z0-9+/]{40,}={0,2}')
      AND NOT "URL" LIKE '%accounts.google.com%'
      AND NOT "URL" LIKE '%login.microsoftonline.com%'
      AND NOT "URL" LIKE '%windowsupdate.com%'
      AND NOT "URL" LIKE '%cdn.jsdelivr.net%'
      AND NOT "URL" LIKE '%akamaihd.net%'
    )
  )
ORDER BY starttime DESC
LIMIT 500

Detects T1001 Data Obfuscation in QRadar across three vectors using normalized event fields: high-entropy DNS subdomain labels (30+ Base64/hex chars — RDAT/tunneling), non-standard HTTP User-Agent strings on web ports (non-browser tooling beaconing), and Base64-encoded blobs in HTTP request URIs from proxy and web-filtering log sources.

high severity medium confidence

Data Sources

QRadar DNS log sources (Windows DNS, BIND, Infoblox) Proxy and web gateway logs (BlueCoat, Squid, Zscaler, McAfee Web Gateway) Network IDS/IPS (Snort, Suricata via QRadar DSM) WinCollect Sysmon EventCode 22 (DNS queries)

Required Tables

events

False Positives

Microsoft Azure service discovery and ARM template deployments generate long DNS subdomain labels under *.azure.com and *.windows.net that can match the 30-character entropy threshold
Custom enterprise Java or .NET applications using HttpClient without a browser-style User-Agent header will appear as suspicious UA while performing legitimate internal API calls
AWS S3 pre-signed URLs and Azure Blob Storage SAS tokens embed HMAC-SHA256 signatures as long Base64-encoded query parameters that match the encoded URI pattern

Sumo Logic CSE

sql

/* T1001: Data Obfuscation — Sumo Logic multi-vector C2 obfuscation detection
   Parses multiple DNS and HTTP/proxy log formats from common collectors */
(_sourceCategory=*network*dns*
 OR _sourceCategory=*network*http*
 OR _sourceCategory=*proxy*
 OR _sourceCategory=*web*filter*
 OR _sourceCategory=*zeek*
 OR _sourceCategory=*bro*)

// --- DNS field extraction (multiple format variants) ---
| parse field=_raw "query: *" as dns_query nodrop
| parse field=_raw "\"qname\":\"*\"" as dns_query nodrop
| parse field=_raw "QueryName=*" as dns_query nodrop

// Extract first DNS label (subdomain segment before first dot)
| parse regex field=dns_query "^(?<first_label>[^\.]{30,})\." nodrop

// --- HTTP/proxy field extraction ---
| parse field=_raw "cs-uri-stem=*" as request_url nodrop
| parse field=_raw "\"uri\":\"*\"" as request_url nodrop
| parse field=_raw "RequestURL=*" as request_url nodrop
| parse field=_raw "cs(User-Agent)=*" as user_agent nodrop
| parse field=_raw "\"http_user_agent\":\"*\"" as user_agent nodrop

// --- Detection vector evaluation ---

// V1: High-entropy DNS subdomain label
| eval v_dns = if(
    !isNull(first_label)
    AND length(first_label) >= 30
    AND matches(first_label, "^[A-Za-z0-9+/=_-]+$"),
    "HighEntropyDNSSubdomain",
    null
  )

// V2: Base64-encoded blob in HTTP URI path; exclude known-clean OAuth/CDN endpoints
| eval v_encoded_url = if(
    !isNull(request_url)
    AND matches(request_url, "[A-Za-z0-9+/]{40,}={0,2}")
    AND !matches(request_url, "accounts\\.google\\.com|login\\.microsoftonline\\.com|windowsupdate\\.com|cdn\\.jsdelivr\\.net|akamaihd\\.net"),
    "Base64EncodedURI",
    null
  )

// V3: Non-browser / non-standard User-Agent on HTTP/HTTPS traffic
| eval v_ua = if(
    !isNull(user_agent)
    AND !matches(user_agent, "(?i)(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)"),
    "SuspiciousUserAgent",
    null
  )

// Coalesce vectors — emit only events with at least one signal
| eval detection_vector = coalesce(v_dns, v_encoded_url, v_ua)
| where !isNull(detection_vector)

| fields _messagetime, _sourceHost, _sourceCategory,
         dns_query, first_label, request_url, user_agent, detection_vector
| sort by _messagetime desc

Detects T1001 Data Obfuscation across three vectors in Sumo Logic with multi-format log parsing: high-entropy DNS subdomain labels (30+ Base64/hex chars — RDAT/tunneling), Base64-encoded blobs in HTTP request URI paths (encoded C2 command channels), and non-browser User-Agent strings on web traffic. Supports Zeek/Bro, Windows DNS, BlueCoat, Squid, and Zscaler log formats.

high severity medium confidence

Data Sources

Proxy and web gateway logs (BlueCoat, Squid, Zscaler, Symantec WSS) DNS server logs (Windows DNS Event, BIND query log, Infoblox) Zeek/Bro network logs via Sumo Logic collector Network IDS enrichment logs

Required Tables

_sourceCategory=*network*dns* _sourceCategory=*proxy* _sourceCategory=*web*filter* _sourceCategory=*zeek*

False Positives

Content delivery networks (Akamai, Fastly, CloudFlare) use long tokenized subdomains for edge cache routing that regularly exceed the 30-character threshold and match Base64-alphabet patterns
Google Analytics, Adobe Analytics, and Segment.io tracking beacons embed long Base64-encoded event payloads in HTTPS beacon URLs that match the encoded URI vector
Enterprise backup and endpoint synchronization tools (Veeam, Acronis, Azure Backup Agent) make scheduled HTTP callbacks with non-browser User-Agent strings at beaconing-like intervals

Google Chronicle / SecOps

yaral

// T1001: Data Obfuscation — Chronicle YARA-L 2.0 detection rules
// Two rules covering DNS entropy and HTTP encoding/beaconing vectors

// ============================================================
// Rule 1: High-entropy DNS subdomain labels
// Detects RDAT AES-in-subdomain, DNS tunneling, covert channel encoding
// ============================================================
rule t1001_data_obfuscation_dns_entropy {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1001 Data Obfuscation via high-entropy DNS subdomain labels (30+ Base64/hex chars). Matches RDAT AES ciphertext-in-subdomain and DNS-over-HTTPS tunneling C2 channel patterns."
    mitre_attack_tactic      = "Command and Control"
    mitre_attack_technique   = "T1001"
    mitre_attack_subtechnique = "T1001.002"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    // First DNS label is 30+ chars of Base64/hex alphabet
    $dns.network.dns.questions.name = /^[A-Za-z0-9+\/=_\-]{30,}\./
    // Exclude CDN GUID-style subdomains (CloudFlare, Akamai routing tokens)
    not $dns.network.dns.questions.name = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
    $dns.principal.hostname = $src_hostname

  condition:
    $dns
}

// ============================================================
// Rule 2: Base64-encoded URI path or non-browser HTTP beaconing
// Covers encoded C2 commands in URL segments and suspicious User-Agents
// ============================================================
rule t1001_data_obfuscation_http_encoding {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1001 Data Obfuscation via Base64-encoded blobs in HTTP request URI paths and non-browser User-Agent strings making outbound connections. Covers StrelaStealer XOR/Base64 POST patterns and TrailBlazer/Ninja C2 URI obfuscation."
    mitre_attack_tactic      = "Command and Control"
    mitre_attack_technique   = "T1001"
    mitre_attack_subtechnique = "T1001.003"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    (
      // Vector A: 40+ contiguous Base64-alphabet chars in request URL path
      (
        $http.network.http.request_url = /[A-Za-z0-9+\/]{40,}={0,2}/
        and not $http.target.hostname = /accounts\.google\.com|login\.microsoftonline\.com|windowsupdate\.com|cdn\.jsdelivr\.net|akamaihd\.net/
      )
      or
      // Vector B: Non-browser / non-standard User-Agent on outbound web port
      (
        not $http.network.http.user_agent = /((?i)mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)/
        and $http.target.port in [80, 443, 8080, 8443]
        and $http.network.direction = "OUTBOUND"
        and $http.network.http.user_agent != ""
      )
    )
    $http.principal.hostname = $src_host
    $http.target.hostname = $dst_host

  condition:
    $http
}

Two Chronicle YARA-L 2.0 rules detecting T1001 Data Obfuscation. Rule 1 flags NETWORK_DNS events where the first DNS label contains 30+ consecutive Base64/hex-alphabet characters (RDAT AES-in-subdomain and DNS tunnel patterns), excluding GUID-style CDN subdomains. Rule 2 flags NETWORK_HTTP events with Base64-encoded blobs in request URI paths or non-browser User-Agent strings on outbound web ports.

high severity medium confidence

Data Sources

Chronicle UDM NETWORK_DNS events (from Forwarder, endpoint EDR, or DNS log ingestion) Chronicle UDM NETWORK_HTTP events (from proxy, web gateway, or packet capture feeds) Google Cloud network telemetry via Chronicle Forwarder CrowdStrike / Carbon Black EDR events normalized to UDM

Required Tables

UDM events — metadata.event_type = NETWORK_DNS UDM events — metadata.event_type = NETWORK_HTTP

False Positives

Azure AD tenant-specific SSO flows generate DNS queries for long subdomain chains under *.microsoftonline.com and *.azure.com that can match the 30-character entropy threshold in Rule 1
Security endpoint agents (CrowdStrike Falcon, Carbon Black, SentinelOne) perform regular health-check HTTP callbacks with proprietary User-Agent strings that don't match the browser exclusion pattern in Rule 2
Google reCAPTCHA v3 and Cloudflare Turnstile embed long Base64-encoded challenge tokens in HTTPS request paths during bot-verification flows, matching the URI encoding pattern in Rule 2

CrowdStrike LogScale (CQL)

cql

// T1001: Data Obfuscation — CrowdStrike LogScale (CQL) detection
// Two saved queries: DNS entropy and HTTP beaconing vectors
// Run each independently or schedule as separate detection jobs

// ============================================================
// QUERY 1: High-entropy DNS subdomain labels
// Source: Falcon DnsRequest telemetry
// Detects RDAT AES-in-subdomain, DNS tunnel C2, covert channel encoding
// ============================================================
#event_simpleName=DnsRequest
| DomainName = /^[A-Za-z0-9+\/=_\-]{30,}\./
// Exclude GUID-style CDN and service-mesh subdomains
| DomainName != /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
// Aggregate: count queries per host+process+domain over session window
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, DomainName],
    function=[
      count(as=query_count),
      min(timestamp, as=first_seen_ms),
      max(timestamp, as=last_seen_ms)
    ]
  )
// Require at least 3 queries to the same high-entropy domain (reduces single-lookup FPs)
| where query_count >= 3
| eval detection_vector = "HighEntropyDNSSubdomain"
| eval severity = "High"
| sort(query_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, DomainName,
         query_count, first_seen_ms, last_seen_ms, detection_vector, severity])


// ============================================================
// QUERY 2: Non-browser process HTTP/HTTPS beaconing
// Source: Falcon NetworkConnectIP4 telemetry
// Detects junk-data C2 check-ins and obfuscated payload beaconing
// ============================================================
#event_simpleName=NetworkConnectIP4
| RemotePort in [80, 443, 8080, 8443]
// Exclude known browser, update, and security tool binaries
| ContextBaseFileName != /(?i)^(chrome|firefox|msedge|iexplore|opera|brave|slack|teams|outlook|onedrive|svchost|MsMpEng|MsSense|SenseIR|SenseCE|SenseNdr|zoom|dropbox|OneDrive|SearchApp)\.exe$/
// Aggregate connection behaviour per host+process+dest IP
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4],
    function=[
      count(as=connection_count),
      min(timestamp, as=first_conn_ms),
      max(timestamp, as=last_conn_ms),
      array(values=RemotePort, as=ports_used, limit=5),
      uniqueCount(RemoteAddressIP4, as=unique_dest_ips)
    ]
  )
// Minimum 10 connections to qualify as beaconing candidate
| where connection_count >= 10
// Calculate time span in minutes
| eval span_minutes = (last_conn_ms - first_conn_ms) / 60000
| where span_minutes > 0
// Calculate connections per minute
| eval conn_per_minute = round(connection_count / span_minutes, 2)
// Beaconing rate window: 0.1–4 conn/min (every 15 seconds up to ~10 minutes)
| where conn_per_minute >= 0.1 AND conn_per_minute <= 4.0
| eval detection_vector = "SuspectHTTPBeaconing"
| eval severity = "Medium"
| sort(connection_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4,
         connection_count, span_minutes, conn_per_minute, ports_used,
         first_conn_ms, last_conn_ms, detection_vector, severity])

Two CrowdStrike LogScale (CQL) queries detecting T1001 Data Obfuscation. Query 1 uses DnsRequest events to identify high-entropy subdomain labels (30+ Base64/hex chars, 3+ queries to same domain) matching RDAT and DNS tunnel C2 patterns. Query 2 uses NetworkConnectIP4 events to flag non-browser/non-system processes exhibiting HTTP/HTTPS beaconing behaviour (0.1–4 connections/minute, 10+ connections), excluding known legitimate browser and security tool binaries.

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor — DnsRequest events (#event_simpleName=DnsRequest) CrowdStrike Falcon sensor — NetworkConnectIP4 events (#event_simpleName=NetworkConnectIP4) Falcon Complete / OverWatch telemetry stream

Required Tables

#event_simpleName=DnsRequest #event_simpleName=NetworkConnectIP4

False Positives

Microsoft Intune management service and Windows Update orchestrator beacon periodically from svchost-adjacent processes (WaaSMedicSvc, UsoClient) to *.manage.microsoft.com at beaconing-like intervals — extend the exclusion list to cover these if needed
Security telemetry collectors (Elastic Agent, Splunk Universal Forwarder, Cribl Edge) make regular network connections from non-browser processes at configured heartbeat intervals that match the 0.1–4 conn/min beaconing rate
Internal Kubernetes and Consul service mesh DNS health-check patterns (e.g., sidecar proxies querying long hash-based service FQDNs) can trigger the high-entropy DNS query when running on Windows hosts with Falcon sensor

Sigma rule & cross-platform mapping

The detection logic for Data Obfuscation (T1001) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1001 Sigma rules on detection.fyi

Platform-specific guides for T1001

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Encoded C2 Data in DNS Subdomain Queries (RDAT Pattern)
Expected signal: Sysmon Event ID 22 (DNS Query): Three DNS queries where QueryName contains 30+ character Base64-alphabet subdomains prepended to test-canary.example.com. DNS server query logs (if forwarded to SIEM): same queries with NXDOMAIN responses. Windows DNS Client cache: ipconfig /displaydns will show the queried names.
Test 2Obfuscated Cookie-Based C2 Simulation (Okrum Pattern)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connection from powershell.exe to 127.0.0.1:8888. stream:http (if full packet capture enabled): HTTP GET request with Cookie header containing 50+ character Base64 string and a non-standard User-Agent. Sysmon Event ID 1: powershell.exe process creation with the above command line.
Test 3Block-Aligned HTTP POST Payload (AES-Padded C2 Response Pattern)
Expected signal: Sysmon Event ID 3: Four outbound connections from powershell.exe to 127.0.0.1:9090 with 3-second intervals. stream:http: POST requests to /update with content-type application/octet-stream; User-Agent 'Windows-Update-Agent/10.0' does not match standard Windows Update agent strings. Network bytes_out should reflect block-aligned sizes.
Test 4Junk Data Padding in DNS TXT Record Queries (FunnyDream/Compression Pattern)
Expected signal: Sysmon Event ID 22: DNS TXT query for a 32-char random-prefix subdomain of junk-obfuscation-test.example.com. Sysmon Event ID 3: outbound HTTP connection from powershell.exe to 127.0.0.1:7777. stream:http: POST with Content-Type application/x-compress and base64-encoded deflate-compressed body — unusual content-type for browser-originated traffic.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Obfuscation

What is T1001 Data Obfuscation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

What is T1001 Data Obfuscation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1001

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox