T1001

Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.

Microsoft Sentinel / Defender

kusto

// T1001: Data Obfuscation — Multi-vector C2 obfuscation detection
// Covers three key patterns: high-entropy DNS labels, non-browser HTTP beaconing, and Base64-encoded proxy URIs
//
// VECTOR 1: High-entropy DNS subdomain labels (e.g., RDAT embedding AES ciphertext in subdomains)
let HighEntropyDNS = DnsEvents
| where TimeGenerated > ago(24h)
| where SubType == "LookupQuery"
| where isnotempty(Name)
| extend Labels = split(Name, ".")
| extend SubdomainLabel = tostring(Labels[0])
| where strlen(SubdomainLabel) >= 30
// Match Base64/hex-alphabet strings — typical of encoded C2 payloads
| where SubdomainLabel matches regex @"^[A-Za-z0-9+/=_\-]+$"
// Exclude common GUID/UUID patterns used by CDNs
| where SubdomainLabel !matches regex @"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-"
| project TimeGenerated, Computer, ClientIP, QueryName = Name,
         SubdomainLabel, SubdomainLength = strlen(SubdomainLabel)
| extend DetectionVector = "HighEntropyDNSSubdomain", Severity = "High";
//
// VECTOR 2: Non-browser HTTP/HTTPS beaconing from suspicious processes
// (junk data or obfuscated payloads in regular C2 check-ins)
let SuspectBeaconing = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe", "SearchApp.exe", "OneDrive.exe",
    "Teams.exe", "Outlook.exe", "slack.exe", "msteams.exe",
    "zoom.exe", "dropbox.exe", "svchost.exe", "MsMpEng.exe",
    "SenseCE.exe", "SenseIR.exe", "MsSense.exe"
  )
| summarize
    ConnectionCount = count(),
    UniqueDestIPs = dcount(RemoteIP),
    DestIPs = make_set(RemoteIP, 5),
    DestPorts = make_set(RemotePort),
    EarliestConn = min(Timestamp),
    LatestConn = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessId,
     InitiatingProcessCommandLine, AccountName
| where ConnectionCount >= 10
| extend SpanMinutes = datetime_diff('minute', LatestConn, EarliestConn)
| where SpanMinutes > 0
| extend ConnPerMinute = round(toreal(ConnectionCount) / toreal(SpanMinutes), 2)
// Beaconing range: 0.1–4 connections/min (every 15 seconds to ~10 minutes)
| where ConnPerMinute between (0.1 .. 4.0)
| project TimeGenerated = LatestConn, DeviceName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AccountName,
         ConnectionCount, UniqueDestIPs, DestIPs, ConnPerMinute
| extend DetectionVector = "SuspectHTTPBeaconing", Severity = "Medium";
//
// VECTOR 3: Base64 / high-entropy data embedded in HTTP proxy request URIs
// (characteristic of malware encoding C2 commands in URL path segments)
let EncodedProxyTraffic = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventCategory has_any ("proxy", "web-filtering", "URL")
| where isnotempty(RequestURL)
// 40+ contiguous Base64-alphabet characters in the URL path indicate encoded content
| where RequestURL matches regex @"[A-Za-z0-9+/]{40,}={0,2}"
// Exclude well-known OAuth/CDN endpoints that legitimately embed tokens in URLs
| where RequestURL !has "accounts.google.com"
    and RequestURL !has "login.microsoftonline.com"
    and RequestURL !has ".windowsupdate.com"
    and RequestURL !has "cdn.jsdelivr.net"
    and RequestURL !has "akamaihd.net"
| project TimeGenerated, DeviceName, SourceIP, DestinationHostName,
         RequestURL, RequestMethod, DestinationPort, SourceUserName
| extend DetectionVector = "Base64EncodedProxyURI", Severity = "Medium";
//
// Combine all vectors and surface results
union HighEntropyDNS, SuspectBeaconing, EncodedProxyTraffic
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Process: Process Creation Azure DNS Analytics (DnsEvents) Microsoft Defender for Endpoint (DeviceNetworkEvents) Proxy/Firewall CEF logs (CommonSecurityLog)

Required Tables

DnsEvents DeviceNetworkEvents CommonSecurityLog

False Positives

Legitimate software update clients (Windows Update, Chrome update, application auto-updaters) making regular HTTP check-in connections at predictable intervals — exclude by process name and destination domain allowlist
Cloud synchronization agents (OneDrive, Dropbox, Box, iCloud) establishing frequent HTTPS connections with encoded content in URLs — add to the excluded process list in Vector 2
CDN and authentication platforms (Akamai, Cloudflare, Azure AD) using long Base64 tokens in redirect URLs — extend the exclusion list in Vector 3 with known CDN domains
Security monitoring and endpoint agents (CrowdStrike, SentinelOne, Qualys) beaconing at regular intervals to management infrastructure — identify agent process names and exclude them
Internal DNS-based service discovery mechanisms or Kubernetes DNS with long service names — review high-entropy DNS alerts against internal DNS server IPs before escalating
Web application firewalls or DLP proxies that re-encode request URLs during forwarding — validate by checking SourceIP against known proxy infrastructure

Splunk

spl

| multisearch
  [search index=network sourcetype="stream:http"
  | eval detection_vector="HTTP_Obfuscation"
  | eval url_path=coalesce(uri_path, uri, "-")
  | eval user_agent_lower=lower(coalesce(http_user_agent, "-"))
  // Flag 1: Non-standard User-Agent strings not matching known browser/runtime patterns
  | eval flag_suspicious_ua=if(
      NOT match(user_agent_lower, "(mozilla|chrome|safari|firefox|edge|curl|python-requests|go-http-client|wget|java|okhttp|axios)"),
      1, 0
    )
  // Flag 2: Base64 or high-entropy encoded blob in URL path (40+ contiguous Base64 chars)
  | eval flag_encoded_url=if(match(url_path, "[A-Za-z0-9+/]{40,}={0,2}"), 1, 0)
  // Flag 3: Encoded data in Cookie header (Okrum pattern — C2 commands hidden in Cookie values)
  | eval flag_encoded_cookie=if(
      match(coalesce(cookie, "-"), "[A-Za-z0-9+/=]{50,}"),
      1, 0
    )
  // Flag 4: Response body size divisible by cipher block size (16 bytes) — AES block alignment
  // Common indicator of encrypted/padded C2 response with predictable structure
  | eval resp_len=tonumber(coalesce(bytes_out, response_body_len, "0"))
  | eval flag_block_aligned=if(resp_len > 0 AND resp_len < 4096 AND (resp_len % 16)==0, 1, 0)
  // Flag 5: HTTP POST directly to an IP address (no domain) — raw C2 without domain fronting
  | eval flag_post_to_ip=if(
      method=="POST" AND match(coalesce(dest_ip, dest, "-"), "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$"),
      1, 0
    )
  | eval suspicion_score=flag_suspicious_ua + flag_encoded_url + flag_encoded_cookie + flag_block_aligned + flag_post_to_ip
  | where suspicion_score > 0
  | table _time, src_ip, dest_ip, site, url_path, method, status,
          http_user_agent, cookie, bytes_out,
          flag_suspicious_ua, flag_encoded_url, flag_encoded_cookie,
          flag_block_aligned, flag_post_to_ip, suspicion_score, detection_vector]

  [search index=network (sourcetype="bro:dns" OR sourcetype="zeek:dns")
  | eval detection_vector="DNS_Obfuscation"
  | eval query_name=coalesce(query, "-")
  | eval labels=split(query_name, ".")
  | eval first_label=mvindex(labels, 0)
  | eval label_len=len(first_label)
  // High-entropy subdomain: 30+ chars of Base64/hex alphabet (RDAT/DNS-tunnel pattern)
  | eval flag_encoded_url=if(label_len >= 30 AND match(first_label, "^[A-Za-z0-9+/=_\\-]+$"), 1, 0)
  | eval flag_suspicious_ua=0
  | eval flag_encoded_cookie=0
  | eval flag_block_aligned=0
  | eval flag_post_to_ip=0
  | eval suspicion_score=flag_encoded_url
  | where suspicion_score > 0
  | table _time, src_ip, query_name, first_label, label_len,
          flag_encoded_url, suspicion_score, detection_vector]

  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval detection_vector="Sysmon_DNS_Obfuscation"
  | eval query_name=coalesce(QueryName, "-")
  | eval labels=split(query_name, ".")
  | eval first_label=mvindex(labels, 0)
  | eval label_len=len(first_label)
  | eval flag_encoded_url=if(label_len >= 30 AND match(first_label, "^[A-Za-z0-9+/=_\\-]+$"), 1, 0)
  | eval flag_suspicious_ua=0
  | eval flag_encoded_cookie=0
  | eval flag_block_aligned=0
  | eval flag_post_to_ip=0
  | eval suspicion_score=flag_encoded_url
  | where suspicion_score > 0
  | table _time, host, Image, User, query_name, first_label, label_len,
          flag_encoded_url, suspicion_score, detection_vector]

| sort - suspicion_score, - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content (stream:http) Network Traffic: Network Traffic Flow (bro:dns / zeek:dns) Process: Process Creation (Sysmon Event ID 22 DNS queries)

Required Sourcetypes

stream:http bro:dns zeek:dns XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CDN and object storage services (S3, Azure Blob, CloudFront) that embed long object hashes or signed tokens directly in URL paths — add their domains to an exclusion lookup
OAuth2 redirect URIs and SAML assertion URLs carrying base64-encoded tokens — these are expected patterns from identity providers (Google, Azure AD, Okta)
Automated monitoring scripts and health-check agents using custom User-Agent strings — build an allowlist of internal scan IPs to suppress flag_suspicious_ua
DNS-based service mesh frameworks (Consul, Kubernetes CoreDNS) generating long service-discovery hostnames — exclude internal resolver IPs for DNS obfuscation vectors
Enterprise proxy solutions that re-sign or transform URLs during content inspection may produce Base64-looking path segments — validate source IP against known proxy infrastructure before escalating

Elastic Security (EQL)

eql

/* T1001: Data Obfuscation — Multi-vector C2 obfuscation detection
   Vector 1: High-entropy DNS subdomain labels (RDAT / DNS tunnel AES encoding)
   Vector 2: Non-browser process outbound HTTP beaconing
   Vector 3: Base64-encoded blob embedded in HTTP request URI path */
any where
  /* Vector 1: DNS query whose first label is 30+ chars of Base64/hex alphabet */
  (
    event.category == "network" and
    network.protocol == "dns" and
    dns.question.name != null and
    dns.question.name regex "[A-Za-z0-9+/=_-]{30,}\\." and
    not dns.question.name regex "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}"
  ) or
  /* Vector 2: Non-browser / non-system process making outbound web-port connection */
  (
    event.category == "network" and
    event.type in ("start", "connection") and
    destination.port in (80, 443, 8080, 8443) and
    network.direction == "egress" and
    process.name != null and
    not process.name in~ (
      "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
      "opera.exe", "brave.exe", "slack.exe", "teams.exe",
      "outlook.exe", "onedrive.exe", "svchost.exe", "MsMpEng.exe",
      "SearchApp.exe", "zoom.exe", "dropbox.exe", "SenseCE.exe",
      "SenseIR.exe", "MsSense.exe"
    )
  ) or
  /* Vector 3: 40+ contiguous Base64-alphabet chars in HTTP URI path
     Excludes known-clean OAuth and CDN token endpoints */
  (
    event.category == "network" and
    url.path != null and
    url.path regex "[A-Za-z0-9+/]{40,}={0,2}" and
    not url.domain in (
      "accounts.google.com", "login.microsoftonline.com",
      "windowsupdate.com", "cdn.jsdelivr.net", "akamaihd.net"
    )
  )

high severity medium confidence

Data Sources

Elastic Agent network telemetry (endpoint.events.network) Packetbeat network capture Zeek/Bro logs via Filebeat (zeek.dns, zeek.http) Auditbeat network socket events

Required Tables

logs-endpoint.events.network-* packetbeat-* logs-zeek.dns-* logs-zeek.http-*

False Positives

CDN providers (Akamai, CloudFlare, Fastly) use long tokenized subdomains for edge routing that can exceed 30 characters and match the Base64/hex alphabet pattern without being malicious
Enterprise monitoring agents (Datadog, New Relic, Dynatrace) beacon at regular intervals from non-browser processes using custom HTTP clients, triggering the beaconing vector
OAuth 2.0 and JWT token flows legitimately embed long Base64-encoded state parameters and signed CDN URLs (AWS S3 pre-signed, Azure Blob SAS tokens) in HTTP request paths

IBM QRadar (AQL)

sql

/* T1001: Data Obfuscation — QRadar AQL multi-vector detection
   Covers: (1) high-entropy DNS subdomain labels, (2) suspicious HTTP User-Agent strings,
   (3) Base64-encoded blobs in HTTP proxy request URIs */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "Query" AS dns_query_name,
  "URL" AS request_url,
  "User Agent" AS user_agent_string,
  CASE
    WHEN REGEXP_MATCH("Query", '^[A-Za-z0-9+/=_-]{30,}\.')
      THEN 'HighEntropyDNSSubdomain'
    WHEN NOT REGEXP_MATCH(LOWER(COALESCE("User Agent", '')), '(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)')
      AND destinationport IN (80, 443, 8080, 8443)
      AND "User Agent" IS NOT NULL
      THEN 'SuspiciousUserAgent'
    WHEN REGEXP_MATCH(COALESCE("URL", ''), '[A-Za-z0-9+/]{40,}={0,2}')
      AND NOT "URL" LIKE '%accounts.google.com%'
      AND NOT "URL" LIKE '%login.microsoftonline.com%'
      AND NOT "URL" LIKE '%windowsupdate.com%'
      AND NOT "URL" LIKE '%cdn.jsdelivr.net%'
      THEN 'Base64EncodedURI'
    ELSE 'MultiVector'
  END AS detection_vector
FROM events
WHERE
  /* Last 24 hours in milliseconds */
  starttime > (DATEFORMAT(NOW(), 'epoch') - 86400000)
  AND
  (
    /* Vector 1: DNS query with high-entropy first label (30+ Base64/hex chars) */
    REGEXP_MATCH("Query", '^[A-Za-z0-9+/=_-]{30,}\.')

    OR

    /* Vector 2: Non-standard User-Agent on web ports — non-browser tooling */
    (
      destinationport IN (80, 443, 8080, 8443)
      AND "User Agent" IS NOT NULL
      AND NOT REGEXP_MATCH(
        LOWER(COALESCE("User Agent", '')),
        '(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)'
      )
    )

    OR

    /* Vector 3: Base64-encoded blob in HTTP URI path from proxy/web-filtering sources */
    (
      "URL" IS NOT NULL
      AND REGEXP_MATCH("URL", '[A-Za-z0-9+/]{40,}={0,2}')
      AND NOT "URL" LIKE '%accounts.google.com%'
      AND NOT "URL" LIKE '%login.microsoftonline.com%'
      AND NOT "URL" LIKE '%windowsupdate.com%'
      AND NOT "URL" LIKE '%cdn.jsdelivr.net%'
      AND NOT "URL" LIKE '%akamaihd.net%'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar DNS log sources (Windows DNS, BIND, Infoblox) Proxy and web gateway logs (BlueCoat, Squid, Zscaler, McAfee Web Gateway) Network IDS/IPS (Snort, Suricata via QRadar DSM) WinCollect Sysmon EventCode 22 (DNS queries)

Required Tables

events

False Positives

Microsoft Azure service discovery and ARM template deployments generate long DNS subdomain labels under *.azure.com and *.windows.net that can match the 30-character entropy threshold
Custom enterprise Java or .NET applications using HttpClient without a browser-style User-Agent header will appear as suspicious UA while performing legitimate internal API calls
AWS S3 pre-signed URLs and Azure Blob Storage SAS tokens embed HMAC-SHA256 signatures as long Base64-encoded query parameters that match the encoded URI pattern

Sumo Logic CSE

sql

/* T1001: Data Obfuscation — Sumo Logic multi-vector C2 obfuscation detection
   Parses multiple DNS and HTTP/proxy log formats from common collectors */
(_sourceCategory=*network*dns*
 OR _sourceCategory=*network*http*
 OR _sourceCategory=*proxy*
 OR _sourceCategory=*web*filter*
 OR _sourceCategory=*zeek*
 OR _sourceCategory=*bro*)

// --- DNS field extraction (multiple format variants) ---
| parse field=_raw "query: *" as dns_query nodrop
| parse field=_raw "\"qname\":\"*\"" as dns_query nodrop
| parse field=_raw "QueryName=*" as dns_query nodrop

// Extract first DNS label (subdomain segment before first dot)
| parse regex field=dns_query "^(?<first_label>[^\.]{30,})\." nodrop

// --- HTTP/proxy field extraction ---
| parse field=_raw "cs-uri-stem=*" as request_url nodrop
| parse field=_raw "\"uri\":\"*\"" as request_url nodrop
| parse field=_raw "RequestURL=*" as request_url nodrop
| parse field=_raw "cs(User-Agent)=*" as user_agent nodrop
| parse field=_raw "\"http_user_agent\":\"*\"" as user_agent nodrop

// --- Detection vector evaluation ---

// V1: High-entropy DNS subdomain label
| eval v_dns = if(
    !isNull(first_label)
    AND length(first_label) >= 30
    AND matches(first_label, "^[A-Za-z0-9+/=_-]+$"),
    "HighEntropyDNSSubdomain",
    null
  )

// V2: Base64-encoded blob in HTTP URI path; exclude known-clean OAuth/CDN endpoints
| eval v_encoded_url = if(
    !isNull(request_url)
    AND matches(request_url, "[A-Za-z0-9+/]{40,}={0,2}")
    AND !matches(request_url, "accounts\\.google\\.com|login\\.microsoftonline\\.com|windowsupdate\\.com|cdn\\.jsdelivr\\.net|akamaihd\\.net"),
    "Base64EncodedURI",
    null
  )

// V3: Non-browser / non-standard User-Agent on HTTP/HTTPS traffic
| eval v_ua = if(
    !isNull(user_agent)
    AND !matches(user_agent, "(?i)(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)"),
    "SuspiciousUserAgent",
    null
  )

// Coalesce vectors — emit only events with at least one signal
| eval detection_vector = coalesce(v_dns, v_encoded_url, v_ua)
| where !isNull(detection_vector)

| fields _messagetime, _sourceHost, _sourceCategory,
         dns_query, first_label, request_url, user_agent, detection_vector
| sort by _messagetime desc

high severity medium confidence

Data Sources

Proxy and web gateway logs (BlueCoat, Squid, Zscaler, Symantec WSS) DNS server logs (Windows DNS Event, BIND query log, Infoblox) Zeek/Bro network logs via Sumo Logic collector Network IDS enrichment logs

Required Tables

_sourceCategory=*network*dns* _sourceCategory=*proxy* _sourceCategory=*web*filter* _sourceCategory=*zeek*

False Positives

Content delivery networks (Akamai, Fastly, CloudFlare) use long tokenized subdomains for edge cache routing that regularly exceed the 30-character threshold and match Base64-alphabet patterns
Google Analytics, Adobe Analytics, and Segment.io tracking beacons embed long Base64-encoded event payloads in HTTPS beacon URLs that match the encoded URI vector
Enterprise backup and endpoint synchronization tools (Veeam, Acronis, Azure Backup Agent) make scheduled HTTP callbacks with non-browser User-Agent strings at beaconing-like intervals

Google Chronicle / SecOps

yaral

// T1001: Data Obfuscation — Chronicle YARA-L 2.0 detection rules
// Two rules covering DNS entropy and HTTP encoding/beaconing vectors

// ============================================================
// Rule 1: High-entropy DNS subdomain labels
// Detects RDAT AES-in-subdomain, DNS tunneling, covert channel encoding
// ============================================================
rule t1001_data_obfuscation_dns_entropy {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1001 Data Obfuscation via high-entropy DNS subdomain labels (30+ Base64/hex chars). Matches RDAT AES ciphertext-in-subdomain and DNS-over-HTTPS tunneling C2 channel patterns."
    mitre_attack_tactic      = "Command and Control"
    mitre_attack_technique   = "T1001"
    mitre_attack_subtechnique = "T1001.002"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    // First DNS label is 30+ chars of Base64/hex alphabet
    $dns.network.dns.questions.name = /^[A-Za-z0-9+\/=_\-]{30,}\./
    // Exclude CDN GUID-style subdomains (CloudFlare, Akamai routing tokens)
    not $dns.network.dns.questions.name = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
    $dns.principal.hostname = $src_hostname

  condition:
    $dns
}

// ============================================================
// Rule 2: Base64-encoded URI path or non-browser HTTP beaconing
// Covers encoded C2 commands in URL segments and suspicious User-Agents
// ============================================================
rule t1001_data_obfuscation_http_encoding {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1001 Data Obfuscation via Base64-encoded blobs in HTTP request URI paths and non-browser User-Agent strings making outbound connections. Covers StrelaStealer XOR/Base64 POST patterns and TrailBlazer/Ninja C2 URI obfuscation."
    mitre_attack_tactic      = "Command and Control"
    mitre_attack_technique   = "T1001"
    mitre_attack_subtechnique = "T1001.003"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    (
      // Vector A: 40+ contiguous Base64-alphabet chars in request URL path
      (
        $http.network.http.request_url = /[A-Za-z0-9+\/]{40,}={0,2}/
        and not $http.target.hostname = /accounts\.google\.com|login\.microsoftonline\.com|windowsupdate\.com|cdn\.jsdelivr\.net|akamaihd\.net/
      )
      or
      // Vector B: Non-browser / non-standard User-Agent on outbound web port
      (
        not $http.network.http.user_agent = /((?i)mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)/
        and $http.target.port in [80, 443, 8080, 8443]
        and $http.network.direction = "OUTBOUND"
        and $http.network.http.user_agent != ""
      )
    )
    $http.principal.hostname = $src_host
    $http.target.hostname = $dst_host

  condition:
    $http
}

high severity medium confidence

Data Sources

Chronicle UDM NETWORK_DNS events (from Forwarder, endpoint EDR, or DNS log ingestion) Chronicle UDM NETWORK_HTTP events (from proxy, web gateway, or packet capture feeds) Google Cloud network telemetry via Chronicle Forwarder CrowdStrike / Carbon Black EDR events normalized to UDM

Required Tables

UDM events — metadata.event_type = NETWORK_DNS UDM events — metadata.event_type = NETWORK_HTTP

False Positives

Azure AD tenant-specific SSO flows generate DNS queries for long subdomain chains under *.microsoftonline.com and *.azure.com that can match the 30-character entropy threshold in Rule 1
Security endpoint agents (CrowdStrike Falcon, Carbon Black, SentinelOne) perform regular health-check HTTP callbacks with proprietary User-Agent strings that don't match the browser exclusion pattern in Rule 2
Google reCAPTCHA v3 and Cloudflare Turnstile embed long Base64-encoded challenge tokens in HTTPS request paths during bot-verification flows, matching the URI encoding pattern in Rule 2

CrowdStrike LogScale (CQL)

cql

// T1001: Data Obfuscation — CrowdStrike LogScale (CQL) detection
// Two saved queries: DNS entropy and HTTP beaconing vectors
// Run each independently or schedule as separate detection jobs

// ============================================================
// QUERY 1: High-entropy DNS subdomain labels
// Source: Falcon DnsRequest telemetry
// Detects RDAT AES-in-subdomain, DNS tunnel C2, covert channel encoding
// ============================================================
#event_simpleName=DnsRequest
| DomainName = /^[A-Za-z0-9+\/=_\-]{30,}\./
// Exclude GUID-style CDN and service-mesh subdomains
| DomainName != /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
// Aggregate: count queries per host+process+domain over session window
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, DomainName],
    function=[
      count(as=query_count),
      min(timestamp, as=first_seen_ms),
      max(timestamp, as=last_seen_ms)
    ]
  )
// Require at least 3 queries to the same high-entropy domain (reduces single-lookup FPs)
| where query_count >= 3
| eval detection_vector = "HighEntropyDNSSubdomain"
| eval severity = "High"
| sort(query_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, DomainName,
         query_count, first_seen_ms, last_seen_ms, detection_vector, severity])


// ============================================================
// QUERY 2: Non-browser process HTTP/HTTPS beaconing
// Source: Falcon NetworkConnectIP4 telemetry
// Detects junk-data C2 check-ins and obfuscated payload beaconing
// ============================================================
#event_simpleName=NetworkConnectIP4
| RemotePort in [80, 443, 8080, 8443]
// Exclude known browser, update, and security tool binaries
| ContextBaseFileName != /(?i)^(chrome|firefox|msedge|iexplore|opera|brave|slack|teams|outlook|onedrive|svchost|MsMpEng|MsSense|SenseIR|SenseCE|SenseNdr|zoom|dropbox|OneDrive|SearchApp)\.exe$/
// Aggregate connection behaviour per host+process+dest IP
| groupBy(
    [ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4],
    function=[
      count(as=connection_count),
      min(timestamp, as=first_conn_ms),
      max(timestamp, as=last_conn_ms),
      array(values=RemotePort, as=ports_used, limit=5),
      uniqueCount(RemoteAddressIP4, as=unique_dest_ips)
    ]
  )
// Minimum 10 connections to qualify as beaconing candidate
| where connection_count >= 10
// Calculate time span in minutes
| eval span_minutes = (last_conn_ms - first_conn_ms) / 60000
| where span_minutes > 0
// Calculate connections per minute
| eval conn_per_minute = round(connection_count / span_minutes, 2)
// Beaconing rate window: 0.1–4 conn/min (every 15 seconds up to ~10 minutes)
| where conn_per_minute >= 0.1 AND conn_per_minute <= 4.0
| eval detection_vector = "SuspectHTTPBeaconing"
| eval severity = "Medium"
| sort(connection_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4,
         connection_count, span_minutes, conn_per_minute, ports_used,
         first_conn_ms, last_conn_ms, detection_vector, severity])

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor — DnsRequest events (#event_simpleName=DnsRequest) CrowdStrike Falcon sensor — NetworkConnectIP4 events (#event_simpleName=NetworkConnectIP4) Falcon Complete / OverWatch telemetry stream

Required Tables

#event_simpleName=DnsRequest #event_simpleName=NetworkConnectIP4

False Positives

Microsoft Intune management service and Windows Update orchestrator beacon periodically from svchost-adjacent processes (WaaSMedicSvc, UsoClient) to *.manage.microsoft.com at beaconing-like intervals — extend the exclusion list to cover these if needed
Security telemetry collectors (Elastic Agent, Splunk Universal Forwarder, Cribl Edge) make regular network connections from non-browser processes at configured heartbeat intervals that match the 0.1–4 conn/min beaconing rate
Internal Kubernetes and Consul service mesh DNS health-check patterns (e.g., sidecar proxies querying long hash-based service FQDNs) can trigger the high-entropy DNS query when running on Windows hosts with Falcon sensor

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Obfuscation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Command and Control

Popular Detections